University of Groningen Knowing what to do Li, Yanjun...ISBN: 978-94-034-0034-1 (eBook) Knowing What...

University of Groningen

Knowing what to doLi, Yanjun

IMPORTANT NOTE: You are advised to consult the publisher's version (publisher's PDF) if you wish to cite fromit. Please check the document version below.

Document VersionPublisher's PDF, also known as Version of record

Publication date:2017

Link to publication in University of Groningen/UMCG research database

Citation for published version (APA):Li, Y. (2017). Knowing what to do: a logical approach to planning and knowing how. University ofGroningen.

CopyrightOther than for strictly personal use, it is not permitted to download or to forward/distribute the text or part of it without the consent of theauthor(s) and/or copyright holder(s), unless the work is under an open content license (like Creative Commons).

Take-down policyIf you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediatelyand investigate your claim.

Downloaded from the University of Groningen/UMCG research database (Pure): http://www.rug.nl/research/portal. For technical reasons thenumber of authors shown on this cover page is limited to 10 maximum.

Download date: 19-12-2020

https://www.rug.nl/research/portal/en/publications/knowing-what-to-do(860ccaa2-2d13-41c4-9864-9146e72b3115).html

https://www.rug.nl/research/portal/en/publications/knowing-what-to-do(860ccaa2-2d13-41c4-9864-9146e72b3115).html

Yanjun Li

Knowing What to DoA logical approach to planning and knowing how

Copyright c© 2017 by Yanjun Li

This research was funded by China Scholarship Council (CSC).

ISBN: 978-94-034-0033-4ISBN: 978-94-034-0034-1 (eBook)

Knowing What to Do

A logical approach to planning and knowing how

PhD thesis

to obtain the degree of PhD at the University of Groningen on the authority of the

Rector Magnificus Prof. E. Sterken and in accordance with

the decision by the College of Deans.

This thesis will be defended in public on

Thursday 21 September 2017 at 11.00 hours

by

Yanjun Li

born on 18 February 1985 in Hebei, China

Supervisor

Prof. B.P. Kooi

Co-supervisor

Dr. J.A. van Laar

Assessment Committee

Prof. L.C. Verbrugge

Prof. V. Goranko

Prof. H.P. van Ditmarsch

Contents

Acknowledgements vii

1 Introduction 11.1 Planning under uncertainty . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Logics for planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.3 Logics inspired by planning . . . . . . . . . . . . . . . . . . . . . . . . 51.4 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2 A logic for conformant probabilistic planning 92.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.2 The logic LCPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122.3 A deductive system . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2.3.1 Axiom system SLCPP . . . . . . . . . . . . . . . . . . . . . . 192.3.2 Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

2.4 Completeness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272.4.1 Normal form . . . . . . . . . . . . . . . . . . . . . . . . . . . 282.4.2 Nonstandard model . . . . . . . . . . . . . . . . . . . . . . . . 302.4.3 Canonical nonstandard model . . . . . . . . . . . . . . . . . . 37

2.5 Decidability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

3 Knowing how with intermediate constraints 493.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493.2 The logic KHM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

3.2.1 Syntax and semantics . . . . . . . . . . . . . . . . . . . . . . . 503.2.2 A deductive system . . . . . . . . . . . . . . . . . . . . . . . . 52

3.3 Deductive completeness . . . . . . . . . . . . . . . . . . . . . . . . . 553.4 Decidability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

4 Knowing how with weak conformant plans 694.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694.2 The logic KHW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

4.2.1 Syntax and semantics . . . . . . . . . . . . . . . . . . . . . . . 714.2.2 A deductive system . . . . . . . . . . . . . . . . . . . . . . . . 73

4.3 Deductive completeness . . . . . . . . . . . . . . . . . . . . . . . . . 75

v

vi CONTENTS

4.4 Decidability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

5 Strategically knowing how 875.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875.2 The logic SKH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 895.3 A deductive system . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

5.3.1 Axiom system SKHS . . . . . . . . . . . . . . . . . . . . . . . 925.3.2 Soundness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

5.4 Completeness and decidability . . . . . . . . . . . . . . . . . . . . . . 985.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

6 Privacy in arrow update logic 1056.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1056.2 The logic PAUL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

6.2.1 Syntax and semantics . . . . . . . . . . . . . . . . . . . . . . . 1066.2.2 Announcements in PAUL . . . . . . . . . . . . . . . . . . . . . 109

6.3 Tableau method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1116.4 Decidability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1196.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

7 Conclusion 125

Appendix A Logical background 127A.1 Epistemic logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127A.2 Probabilistic dynamic epistemic logic . . . . . . . . . . . . . . . . . . 129

A.2.1 Linear inequality logic . . . . . . . . . . . . . . . . . . . . . . 129A.2.2 Probabilistic dynamic epistemic logic . . . . . . . . . . . . . . 131

A.3 Knowing-how Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . 133A.4 Arrow update logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Bibliography 137

Samenvatting 143

About the author 145

Acknowledgements

First of all, I am in debt to Barteld Kooi, my supervisor. In the past four years, yourguidance and encouragement helped me a lot in my research. You spent lots of timereading drafts of my papers, gave me thoughtful comments and detailed suggestions.Moreover, you are not only a great scholar, a supportive supervisor, but also a cheerfuland warm-hearted person. Your help makes my Groningen life much easier.

I would like to thank Jan Albert van Laar, my co-supervisor. Thank you for yourhelpful comments. Especially, thank you for carefully reading the manuscript and help-ing me to improve the language of this thesis.

I am grateful to Yanjing Wang. You are like another supervisor to me. It is you thatencourage me coming to Groningen and pursuing a second PhD, and it is your help thatenables me to complete this thesis.

I am thankful to Beihai Zhou who is the supervisor of my first PhD at Peking Univer-sity. This second degree would not have happened without your support. I am thankfulto Yanjing Zhang at Hebei University. Thanks for all your help.

I also would like to thank my co-authors: Barteld Kooi, Yanjing Wang, Raul Fervariand Andreas Herzig for their genuine contributions. I am also grateful to the anonymousreferees who reviewed the papers that compose the main body of this thesis.

I thank the respectful members of my assessment committee: Rineke Verbrugge,Valentin Goranko and Hans van Ditmarsch. Thank you for your time and your valuablecomments.

I would like to thank all my colleagues in Groningen. You make the Faculty of Philo-sophy a pleasant place to work. For their helpful comments, I would like to thank themembers of PCCP and the members of WiP, including but not limited to, Job de Grefte,Coos Engelsma, Benjamin Bewersdorf, Stipe Pandzic, Yuri Santos, Max Bialek, LouweB. Kuijer, Wessel van Dommelen, Rohan French, Li-Chih Lin, Sanne Hupkes, SanderVerhaegh, Franziska Koder, Leon Geerdink, Oberto Marrama, Sjoerd Griffioen, HanThomas Adriaenssen, Paulien Talsma-Snellen, Bianca Bosman. For their help with tech-nical and financial issues, I would like to thank Marga Hids, Anita Willems-Veenstra,Siepie Blom, Fre Morrees, Hauke de Vries, and Eric Ruben.

I would like to thank all my friends in Groningen: Bin Jiang, Qian Li, LinyangLi, Peng Wang, Yu Sun, Yingruo Wang, Jianjun Tang & Wangli Cheng, Bo Zhang &Tingting Qi, Yuanze Wang & Jingjing Deng, Xiaoming Zhang & Ping Xu, Jiquan Wu &Zhonghong Ma, Peiliang Zhao & Lijuan Xing, Qingkai Yang & Yuhan Wang, ShengjieXiao & Baiyu An, Yanglei Yi, Haojie Cao, Jing Wu. It is you guys that make myGroningen life much happier.

I gratefully acknowledge financial support from China Scholarship Council (CSC).

vii

viii CONTENTS

Finally, I reserve my deepest gratitude to my family. Thank my sister and my brotherfor their support. Thank my parents and my wife for their unlimited love.

Chapter 1

Introduction

This thesis explores planning from a logical point of view. Planning theory is a centralarea in Artificial Intelligence (AI), and it is concerned with finding a plan (such as asequence of actions) to achieve goals. In AI, this theory consists of several areas eachhaving its own restrictive assumptions about the kind of setting in which the planningtakes place. In this thesis, we are mainly concerned with the area of planning underuncertainty. Here the agent is uncertain about his situation. There are two main topics ofthis thesis. One is to build a logical framework for capturing how the agent’s uncertaintyevolves in these planning problems. The other topic, since these planning problemsbring us some new idea of what it means to know how to achieve a goal, is to model thenew understanding of knowing how in logical systems.

1.1 Planning under uncertaintyConformant planning is the simplest version of planning under uncertainty. Before weintroduce it, we first explain the notion of a transition system. A (labelled) transitionsystem is a tuple 〈S,Act,R〉 where S is a set of states, Act is a set of actions (or labels),and R is a set of labelled transitions (i.e. a subset of S × Act × S). If S is finite, it iscalled a finite transition system. The fact that (s, a, t) ∈ R (also written as s a−→ t, ort ∈ Ra(s)) represents that there is a transition from s to t with label a. Intuitively, itmeans that performing the action a in state s might result in state t. A transition systemis deterministic if the next state is completely determined by the current state and theaction executed by the agent, which is formally expressed as that (s, a, t), (s, a, t′) ∈ Rimplies t = t′ (so that R is a partial function). Otherwise, it is nondeterministic.

Conformant planning Given a nondeterministic transition system 〈S,Act,R〉, an ini-tial uncertainty set U ⊆ S, and a goal set G ⊆ S, conformant planning is to find a planwhich is a finite linear sequence of actions such that performing the plan in each stateof U will never fail and always result in states in G (cf. Ghallab et al. (2004)). Such anaction sequence is called a conformant plan.

In conformant planning, it is assumed that the agent has no sensors, i.e. the environ-ment is unobservable. There are two kinds of uncertainty in conformant planning. Thelocation of the agent can be uncertain since the environment is unobservable, and the

1

2 CHAPTER 1. INTRODUCTION

results of performing an action in a state can be uncertain since the transition system isnondeterministic. If we restrict the transition system to be deterministic and the envir-onment is fully observable (which leads the initial uncertainty set to be a singleton), weend up with a problem of classical planning.

Here is an example of conformant planning. Figure 1.1 depicts a transition systemwhich can be seen as a map, where si are places connected by corridors (r) or stairs(u).1 Let the initial uncertainty set be {s2, s3}, that is, the agent is uncertain whether heis now in s2 or s3, and let the goal set be {s7, s8, s5}. From Figure 1.1, we can see thatperforming ru in s2 will lead to s7, and that performing ru in s3 will lead to s8. Boths7 and s8 are in the goal set, so the planning problem is solved. Please note that theenvironment is unobservable in conformant planning, which means there is no feedbackduring the execution of plans. In this example, if the agent is initially uncertain about s2

or s3, he is uncertain about s3 or s4 after moving right (r).

s6 s7 s8

s1 r // s2 r //

u

>>

u

OO

s3 r //

u

OO

s4 r //

u

OO

s5

Figure 1.1

As mentioned previously, conformant planning is the simplest version of planningunder uncertainty. If we extend the transition system of conformant planning with prob-abilities, we are in the area of conformant probabilistic planning.

Conformant probabilistic planning A probabilistic transition system is a quadruple〈S,Act,R, Pr〉, where 〈S,Act,R〉 is a finite transition system and Pr : R → (0, 1]is a transition probability function. Given a probabilistic transition system, an initialuncertainty set U , an initial belief state I : U → (0, 1] which is a probability distributionover U , and a goal set G, conformant probabilistic planning is to find a plan which is afinite sequence of actions such that the probability of reaching the goal by performingthe plan is no less than a given threshold δ ≤ 1. If the threshold δ is 1, we end up with aproblem of conformant planning.

The following is a conformant probabilistic planning problem. Figure 1.2 depictsa probabilistic transition system and an initial belief state of which the domain is U ={s1, s2}. Let the goal set be {s3, s5}. There is no conformant plan in this example. Wecan see that the probability of reaching the goal after performing a is 0.5×0.8 = 0.4, andthat the probability of reaching the goal after performing b is 0.5× 1 = 0.5. Therefore,if the threshold is 0.5, the action b is a solution.

Just as conformant planning, there is no observability in conformant probabilisticplanning. If we extend conformant planning with partial observability, we are in thearea of contingent planning.

Contingent planning A partially observable model is a tuple 〈S,Act,R,O〉, where〈S,Act,R〉 is a transition system and O is an equivalence relation on S which reflects

1This is a variant of the running example used in Wang and Li (2012).

1.1. PLANNING UNDER UNCERTAINTY 3

s1 : 0.5

a:0.8

{{a:0.2

))

b:1

��

s2 : 0.5

b:1

��s3 s4 s5

Figure 1.2

the features of the environment that can be observed 2. Given a partially observablemodel, an initial uncertainty set U , and a goal set G, a contingent plan is a partialfunction from P(S) to Act, which tells the agent which action to execute based on hiscurrent uncertainty set, such that if the agent acts accordingly then he is guaranteed toreach the goal after finitely many steps.

Partial observability is more general than full observability and non-observabilitybecause if O is the identity relation then it is fully observable and if O is the universalrelation S × S then it is unobservable. Please note that a contingent plan only makessense under partial observability. In an unobservable model (i.e.O = S×S), there mustbe a conformant plan if there exists a contingent plan.

s1 a // s2 b // s3

s4 a // s5 c // s6

Figure 1.3

Figure 1.3 depicts a partially observable model and an initial uncertainty set U ={s1, s4}, where the equivalence relation O is represented by the dotted line and we omitthe reflexive dotted arrows. Please note that the agent is certain about his location if heperforms a and, for example arrives at s5, at which time his uncertainty set will updateto be {s5}. Even though he would be uncertain about s5 or s2 without observation aftera, he will distinguish these two states by observation.

Given a partially observable model and an initial uncertainty set, there is an extendedmodel in which all the possible uncertainty sets are explicit. For example, the extendedmodel of Figure 1.3 is depicted in Figure 1.4. Let the goal set be G = {s3, s6}. We cansee that the partial function f = {{s1, s4} 7→ a, {s2} 7→ b, {s5} 7→ c} is a contingentplan.

We have introduced three kinds of planning problems under uncertainty: conformantplanning, conformant probabilistic planning, and contingent planning. Both conformantprobabilistic planning and contingent planning are extensions of conformant planning.Besides these, there are many other versions of planning in AI (cf. Ghallab et al. (2004)),such as planning that requires a successful solution to be finished in restricted time.In this thesis, we are mainly concerned with these three kinds of planning because anagent’s uncertainty plays an important role in these planning problems.

2In the standard formulation of contingent planning, O is an observation function from S to P(T ) whereT is a set of tokens, but we can always generate an equivalence relation based on the observation function.


s1 a // s2 b // s3

s4 a // s5 c // s6

Figure 1.4

1.2 Logics for planningDynamic epistemic logic (DEL) (cf. e.g., van Ditmarsch et al. (2007)) is a standardframework for reasoning about knowledge and change. In DEL, there is an epistemicmodel which describes the initial knowledge situation, and an operation called productupdate which computes a new epistemic model based on the old epistemic model andan event model. The product update describes the change of knowledge. In recent years,there has been a growing interest in applying DEL in planning under uncertainty, usingthe update of knowledge to capture the change of uncertainty during the execution ofplans. In these DEL-based planning frameworks, states in the uncertainty set constitutean epistemic model, actions are event models, and the state transitions are implicitlyencoded by the update product (cf. Bolander and Andersen (2011); Lowe et al. (2011)).

One advantage of this DEL-based approach is its expressiveness in handling multi-agent planning with knowledge goals (cf. e.g., Bolander and Andersen (2011); Loweet al. (2011); Andersen et al. (2012); Aucher (2012); Yu et al. (2013); Pardo and Sad-rzadeh (2013); Jensen (2014); Bolander et al. (2015); Muise et al. (2015)), while thetraditional AI planning focuses on the single-agent case. In particular, the event modelsof DEL (cf. Baltag and Moss (2004)) are used to handle non-public actions that maycause different knowledge updates for different agents. However, this expressivenesscomes at a price, as shown in Bolander and Andersen (2011); Aucher and Bolander(2013), that multi-agent epistemic planning is undecidable in general. Many interestingdecidable fragments are found in the literature (Bolander and Andersen (2011); Loweet al. (2011); Yu et al. (2013); Andersen et al. (2015)), which suggests that single-agentcases and some restrictions on the structure of event models are the keys to decidability.

Another logic framework for planning under uncertainty is the epistemic proposi-tional dynamic logic (EPDL) proposed in Yu et al. (2016) co-authored with Qu Yu andYanjing Wang. The model of EPDL is simply a transition system with initial uncertaintyas in the example shown in Figure 1.1. Even though there is no event model in EPDL,EPDL still adopts the idea of DEL by interpreting actions in the semantics as an updateon the uncertainty of the agent. EPDL also follows the idea of planning as model check-ing explored in Giunchiglia and Traverso (2000); van der Hoek and Wooldridge (2002);Jamroga and Agotnes (2007). The language of EPDL is very powerful, and it reducesthe problem whether a planning problem has a solution to a model checking problemwhether a EPDL formula is true in a model.

One impressive feature of the EPDL approach is that standard conformant plan-ning is generalized in the EPDL framework but the generalized conformant planningis equally hard as the standard conformant planning over explicit transition systems.EPDL generalizes the standard conformant planning problem in AI (over transition sys-tems) in two ways, w.r.t. the goal and also the constraint on the desired plan. First, the

1.3. LOGICS INSPIRED BY PLANNING 5

planning goal can be any EPDL formula. Since in EPDL regular operators are used toconstruct complex actions, we can express the goal “the agent knows that ϕ is forevertrue” byK[(a+b)∗]ϕ (assuming there are only two actions a and b). Second, proceduralconstraints on the desired plan specified by regular expressions can be imposed. For ex-ample, we can require that only action sequences where b cannot be executed before aare desired, which is expressed by (a∗; b∗). Furthermore, as pointed in Li et al. (2017),EPDL can be naturally extended to cover contingent planning. EPDL is not included inthis thesis. For further reading about EPDL, please see Wang and Li (2012); Yu et al.(2016); Li (2015, 2016).

Both approaches above (DEL and EPDL) are concerned with conformant planningand contingent planning. In Chapter 2 of this thesis, we propose a logic frameworkto deal with the change of belief state in conformant probabilistic planning. We ad-opt the idea of probabilistic dynamic epistemic logic (PDEL). PDEL, presented in Ap-pendix A.2, is a combination of probability logic and public announcement logic, whichmodels the change of belief due to announcements. Similar to EPDL, the logic pro-posed in Chapter 2 is over a probabilistic transition system and an initial belief state,where actions are interpreted in the semantics as an update on the belief state.

1.3 Logics inspired by planning

Epistemic logic presented in Appendix A.1 is a logical formalism of propositional know-ledge, which is the knowledge expressed by the phrase of knowing that p. Epistemiclogic is commonly accepted and widely applied in many fields, such as game theory,theoretical computer science, artificial intelligence, and so on. Besides propositionalknowledge, procedural knowledge is another kind of knowledge often discussed in epi-stemology, which is the knowledge expressed by the phrase of knowing how to do some-thing. However, there is no common consensus on how to formalize knowing how (cf.the recent surveys Gochet (2013) and Agotnes et al. (2015)).

Dating back to McCarthy and Hayes (1969); McCarthy (1979); Moore (1985); Singh(1994); Lesperance et al. (2000); van der Hoek et al. (2000), researchers have beenlooking at knowing how in the setting of propositional knowledge and actions, but thedifficulty is that simply combining the existing logics for knowing that and ability doesnot lead to a genuine notion of knowing how (cf. Jamroga and Agotnes (2007); Herzig(2015)). For example, knowing how to achieve p is not equivalent to knowing that thereexists a strategy to make sure that p. Let ϕ(x) express that x is a way to make sure somegoal is achieved. There is a crucial distinction between the de dicto reading of knowinghow (K∃xϕ(x)) and the desired de re reading (∃xKϕ(x)) (cf. Stanley and Williamson(2001); Jamroga and van der Hoek (2004); Agotnes (2006)). The latter implies theformer, but not the other way round. Proposals to capture the de re reading have beendiscussed in the literature, such as making the knowledge operator more constructive(Jamroga and Agotnes (2007)), making the strategy explicitly specified (Herzig et al.(2013); Belardinelli (2014)), or inserting K in-between an existential quantifier and theability modality in seeing-to-it-that (STIT) logic (Broersen and Herzig (2015)).

Inspired by the idea of conformant planning, Wang (2015a, 2016) proposes a newlogic of knowing how presented in Appendix A.3, in which agents’ knowing how toachieve a goal is interpreted as having a conformant plan for the goal. This approach is in


line with the de re reading of knowing how, but he introduces a single new modality Khof (goal-directed) knowing how, instead of breaking it down into other modalities. ThemodalityKh is a binary modality. The model of this logic is a transition system extendedwith an assignment, and the modality Kh is universal on the semantics. For example,the formula Kh(p, q), which reads as agents’ knowing how to achieve q-states from p-states, is true in the model depicted in Figure 1.5, if and only if there is a conformantplan with given initial uncertainty set U = {s2, s3} and goal set G = {s7, s8, s5}.

s6 s7 : q s8 : q

s1 r // s2 : p r //

u

::

u

OO

s3 : p r //

u

OO

s4 r //

u

OO

s5 : q

Figure 1.5

In Chapter 3 and Chapter 4 of this thesis, we extend the work of Wang (2015a, 2016).In real-life contexts, constraints on how we achieve the goal often matter. For example,we want to know how to win the game by playing fairly; people want to know how tobe rich without breaking the law. In Chapter 3, we generalize the modality Kh to be aternary knowing how operator to express that the agent knows how to achieve ϕ given ψwhile maintaining χ in-between. What is more, we think that, in our everyday life, therequirement of a conformant plan might be too strong for knowing-how. For example,considering Figure 1.5, let the initial uncertainty set remain the same as in Figure 1.1, i.e.U = {s2, s3}, but the goal is {s5}. Intuitively we still say we know how to achieve s5

because we can get there by moving right (r) at most three times. However, the plan rrris not a conformant plan since performing it in s3 will fail. We call such a plan “weakconformant plan”. In Chapter 4, we weaken the interpretation of the formula Kh(p, q)as having a weak conformant plan for achieving q given p.

Inspired by the idea of contingent planning, Chapter 5 extends the standard epistemiclogic with a unary knowing-how modality Khs, in which the formula Khsϕ is inter-preted as having a contingent plan to achieve ϕ. Since a contingent plan is also called astrategy, we call the logic strategically knowing-how logic (SKH). The model of SKH isa transition system extended with an equivalence relation, like Figure 1.4. Chapter 6 is apreparation for making SKH epistemically dynamic. As we know, extending epistemiclogic with public announcement operators [ϕ] is a natural way to make the logic dy-namic and to reason about knowledge change. However, it does not work for the logicSKH because updating a model of SKH with [ϕ] might remove some states from themodel, which will change the basic transition system of the model. Besides public an-nouncement logic, arrow update logic presented in Appendix A.4 proposes another wayto reasoning about knowledge change by removing epistemic accessibilities in a model.This method can be applied to SKH. The limitation is that the standard arrow updatelogic can only deal with public announcements. To reason about knowledge change dueto private announcements, Chapter 6 extends the standard arrow update logic.

1.4. OVERVIEW 7

1.4 Overview

Each main chapter is based on a published or submitted paper. To keep each chapterindependently readable, there is some overlap among chapters. The contribution of eachchapter is briefly summarized as follows.

Chapter 2, a logic for conformant probabilistic planning, is an extended versionof joint work with Barteld Kooi and Yanjing Wang. In this chapter, we introduce alogic framework that can be applied to conformant probabilistic planning. Conformantprobabilistic planning is to find a linear plan (a sequence of probabilistic actions) suchthat the probability of achieving the goal (a certain condition) after executing the planis no less than a given threshold probability δ. Our logical framework can trace thechange of the belief state of the agent (which is a probability distribution over states)during the execution of the plan. With this logic, we can enrich the standard conformantprobabilistic planning by formulating the goal as a dynamic epistemic logic formula.We provide a complete axiomatization of the logic. Moreover, this chapter shows thatthe logic is decidable.

Chapter 3, knowing how with intermediate constraints, is an extended version ofjoint work with Yanjing Wang (Li and Wang (2017)). In this chapter, we propose a tripleknowing-how operator to express that the agent knows how to achieve ϕ given ψ whilemaintaining χ in-between. It generalizes the knowing-how logic which is presentedin Appendix A.3. We give a sound and complete axiomatization of this logic. Whatis more, this chapter introduces a filtration method on the canonical model. By thefiltration method, it is shown that this logic has a small model property, and thus thelogic is decidable.

Chapter 4, knowing how with weak conformant plans, is an updated version of thepaper Li (2017). This chapter proposes a weaker but more realistic semantics to themodality of the knowing-how logic presented in Appendix A.3. According to this se-mantics, an agent knows how to achieve ϕ given ψ if (s)he has a finite linear plan bywhich (s)he can always end up with a ϕ-state when the execution of the plan terminates,whether or not each part of the execution has been completed. This weaker interpreta-tion of the knowing-how modality results in a weaker logic than the knowing-how logic.The composition axiom of the knowing-how logic is no longer valid. This chapter alsopresents a sound and complete axiomatic system and proves that this logic is decidable.

Chapter 5, strategically knowing how, is an elaborate version of joint work with RaulFervari, Andreas Herzig, and Yanjing Wang (Fervari et al. (2017)). In this chapter, weextend the standard epistemic logic of knowing that with a new knowing-how operator.The semantics of the new knowing-how operator is based on the idea that knowing howto achieve ϕ means that there exists a (uniform) strategy such that the agent knows thatit can make sure that ϕ. We give an intuitive axiomatization of our logic and provethe soundness, completeness and decidability of the logic. The crucial axioms relatingknowing that and knowing how illustrate our understanding of knowing how in thissetting. This logic can be used in representing both knowledge-that and knowledge-how.

Chapter 6, privacy in arrow update logic, is based on a short paper presented onthe conference of Advances in Modal Logic 2014. This chapter develops the arrowupdate logic. Arrow update logic presented in Appendix A.4 is a theory of epistemicaccess elimination that can be used to reason about information change. In the arrow


update logic, it is common knowledge among agents how each will process incominginformation. This chapter develops the basic theory of arrow update logic to deal withprivate and semi-private announcements. In this framework, the information is privatefor an agent group. This chapter also proposes a labelled tableau calculus for this logicand shows that this logic is decidable.

Chapter 2

A logic for conformantprobabilistic planning1

2.1 IntroductionAutomated planning is a branch of artificial intelligence concerned with devising a plan,which might be a strategy or an action sequence, to achieve some goals. Automatedplanning technology is widely applied in a variety of areas, ranging from controlling theoperations of spacecraft to playing the game of bridge. Classical planning, which is thesimplest form of automated planning, is the problem of finding a linear action sequencein a deterministic transition system such that executing the plan in the initial state willachieve the goal (cf. Ghallab et al. (2004)). There are two important simplifying as-sumptions for classical planning: determinacy and full observability. Full observabilityindicates that agent has complete knowledge about the system and the state in which thesystem starts, which means that the set of initial states from which the plan starts is asingleton.

Conformant planning generalizes classical planning by relaxing these two restric-tions, namely that it allows lack of knowledge of position in the system (and lack ofability to observe where agent is located) and it allows actions to be non-deterministic.The former means that the set of initial states needs no longer necessarily be a singleton(and corresponds to the agent’s initial uncertainty) but also means that one cannot at-tain certainty regarding one’s whereabouts based on observation during plan execution.A conformant plan is an action sequence to guarantee the agent’s arrival at one of thegoal states no matter what initial state the plan starts from and no matter how the (non-deterministic) plan is executed (cf. Ghallab et al. (2004)). Since conformant planningbrings out an agent’s uncertainty, rather than from the traditional AI approaches, we canprofit from an epistemic-logical perspective on conformant planning.

Epistemic planning is concerned with planning under uncertainty. Dynamic epi-stemic logic (DEL) (cf. van Ditmarsch et al. (2007)) can be used as a formal frameworkto deal with epistemic planning and can provide a useful generalization of conformantplanning by allowing the planner to formulate knowledge goals within a formal lan-

1This is an extended version of joint work with Barteld Kooi and Yanjing Wang.

9

10 CHAPTER 2. A LOGIC FOR CONFORMANT PROBABILISTIC PLANNING

guage. Moreover, by applying DEL in planning, we can handle multi-agent planningwith knowledge goals (cf. e.g., Andersen et al. (2012); Aucher (2012); Bolander andAndersen (2011); Bolander et al. (2015); Jensen (2014); Lowe et al. (2011); Muise et al.(2015); Pardo and Sadrzadeh (2013); Yu et al. (2013)). In particular, the event models ofDEL (cf. Baltag and Moss (2004)) are used to handle non-public actions that may yielddifferent knowledge updates for different agents. Within such DEL-based approaches,Wang and Li (2012) proposed a dynamic epistemic logic over transition systems withinitial uncertainty. This framework is extended in Yu et al. (2016) with propositionaldynamic logic programs in such a way that the standard conformant planning problemhas the form of a model checking problem in this framework.

Conformant probabilistic planning (CPP) is another significant generalization ofconformant planning. The demands that conformant planning puts on the solution maybe too strong, in the sense that a solution has to be found for sure. It may be the casethat a solution in this sense is impossible while there may still be some plan that leads toa goal state with very high probability. Conformant probabilistic planning generalizesconformant planning by relaxing the conditions on solutions to planning problems. Theframework of CPP is enriched with a probability distribution over states and tells us theprobability that a certain action will lead to a certain successor state. In this way prob-abilistic goals can be set that are easier to achieve than non-probabilistic goals, but willstill be such that they do provide a satisfactory plan that will lead to a goal state withacceptable probability.

Let us consider the following toy example of a planning problem where we need totake probability into account.2 Take a robot whose gripper is possibly wet. The gripperneeds to hold a block, but gripping a block while the gripper is slippery is more difficultthan when it’s dry. This can be modeled in a transition system with probabilities:

s1 : GD0.7

s3

0.3

s2 : GD,BH s4 : BH

b:0.05

a:1

b:0.95

b:0.5

b:0.5

a:0.8

a:0.2

There are two propositions: GD stands for gripper-dry and BH for block-held, and twoactions: a stands for drying and b for picking up. We model the initial belief state bya probability distribution over the states of the system B, which assigns the followingprobabilities: B(s1) = 0.7 and B(s3) = 0.3. The action a dries a dry gripper withprobability 1, but make a wet gripper dry with probability 0.8. The action b picks up theblock with probability 0.95 if the gripper is dry and with probability 0.5 if the gripper iswet. It is impossible to find a plan in this example that will guarantee that after executingthe plan the robot will hold a block. But for practical purposes it may be enough to finda plan to hold the block, which succeeds at least 90% of the time.

Conformant probabilistic planning is well studied in AI literature (cf. e.g., Kush-merick et al. (1995); Hyafil and Bacchus (2003, 2004); Bryce et al. (2008); Taig and

2This is a variant of the Slippery Gripper example reported in Kushmerick et al. (1995); Hyafil andBacchus (2003).

2.1. INTRODUCTION 11

Brafman (2013)). A variety of algorithms is developed to solve CPP problems, and eachalgorithm has its own advantage given certain assumptions about the system. Generally,the probability of achieving a goal state t by executing a plan π = a1 · · · an is calculatedin the following way (cf. Hyafil and Bacchus (2004)):

µπ(t) =∑

{s0···sn|∀1≤i≤n:si−1

ai−→si,sn=t}

B(s0)×Pr(s0, a1, s1)×· · ·×Pr(sn−1, an, sn)

where Pr(si−1, ai, si) means the probability of reaching si after executing ai at si−1.For example, in the Slippery Gripper example, the probability of achieving s2 by ex-ecuting ab is the following:

µab(s2)

= B(s1)× Pr(s1, a, s1)× Pr(s1, b, s2) +B(s3)× Pr(s3, a, s1)× Pr(s1, b, s2)

= 0.7× 1× 0.95 + 0.3× 0.8× 0.95

= 0.665 + 0.228 = 0.893

To achieve a higher probability of holding the block, the robot has to (try to) dry thegripper twice.

In this chapter, we build a logic framework over the CPP models so that we can en-rich the standard CPP problems with much more powerful goal formulas and investigatethe reasoning about actions and plans in CPP. Roughly speaking, we generalize single-agent epistemic planning and conformant probabilistic planning into one framework.Our approach combines conformant probabilistic planning and probabilistic dynamicepistemic logic (PDEL), which is presented in Appendix A.2 (cf. Kooi (2003); vanBenthem (2003); van Benthem et al. (2009)). In our language, there are two kinds ofmodalities: action modalities [a] and probability modalities Bπ . As in PDEL, the actionmodality is interpreted in the semantics as an update on the belief state which is a prob-ability distribution. The probability modality Bπ is interpreted as µπ like in the CPPliterature.

Our framework can also distinguish different conformant probabilistic plans moreprecisely. Consider the model M depicted in Figure 2.1. Let the goal be to reach p-

s1

0.5s2

0.5

s3 : p s4 : p s5

a:0.8

a:0.2

b:1

b:1

Figure 2.1:M

states with threshold probability 0.5, then both a and b are solutions. However, althoughµa(p) = µb(p) = 0.5, intuitively we feel that there are differences between these twosolutions. Plan a cannot always be successfully executed, but the agent is guaranteed toreach a p-state when a is successfully executed. Contrary to the plan a, the plan b canalways be successfully executed, but there is only 50% probability to achieve p-states


M|a

s1 s2

s3 : p0.8

s4 : p0.2 s5

a:0.8a:0.2

b:1

b:1

M|b

s1 s2

s3 : ps4 : p

0.5s5

0.5

a:0.8 a:0.2

b:1b:1

Figure 2.2

by doing b. In our framework, this can be expressed as Ba> = 0.5 ∧ [a](Bεp = 1)and Bb> = 1 ∧ [b](Bεp = 0.5). Therefore, if we care more about the probability ofachieving goals given the successful execution of the plan, a is a better solution than b.

Our framework is significantly different from PDEL since PDEL works with eventmodels rather than transition systems. Moreover, there is no syntax that is directly linkedto µπ . This is because µπ can be seen as a conditional probability weighed by theprobability of π being successfully executed (and in that sense it is closer to a priorprobability), namely:

µπ(t) = Pr(t | ex(π)) · Pr(ex(π))

where Pr(ex(π)) is the probability that π can be successfully executed. Pr(t | ex(π)),which is calculated in the updated model given the execution of π, can be expressedin PDEL, but Pr(ex(π)) cannot be expressed in PDEL since PDEL is only concernedwith probabilities expressing belief and not with the probability of actions. However,Pr(ex(π)) is a combination of belief probability and action probability.

The rest of this chapter is organized as follows: Section 2.2 introduces the languageand semantics, and also defines conformant probabilistic planning in terms of our logicframework; Section 2.3 presents the axiomatics of this logic; Section 2.4 proves itscompleteness; the last section concludes with some future directions.

2.2 The logic LCPPIn this section we introduce the logic of conformant probabilistic planning, and we de-note the logic as LCPP. Besides a (somewhat limited) dynamic logic of action, thelanguage of LCPP also has linear inequalities of weighted probabilistic terms, whichexpress the probability that a sequence of actions reaches a certain set of states. Thislanguage differs from the usual languages of PDEL in the sense that here actions areatomic and do not have an internal structure which explicates how it changes inform-ation. Also probabilistic expressions are indexed by sequences of actions, rather thanhaving no index. Of course in PDEL probability terms are indexed by agents. To keepthings simple in this chapter we focus on the single-agent case.

Definition 2.2.1 (Language) Let a countable set of propositional variables P and a

2.2. THE LOGIC LCPP 13

finite set of actions Act be given. The language LLCPP is defined as the following BNF:

ϕ ::= p | ¬ϕ | (ϕ ∧ ϕ) | [a]ϕ | q1Bπ1ϕ1 + · · ·+ qnBπnϕn ≥ q

where p ∈ P, a ∈ Act, πi ∈ Act∗, i.e. a finite string (possible empty) of actions andq, qi ∈ Q for each 1 ≤ i ≤ n.

Besides the usual abbreviations, we have the following.

∑ni=1 qiBπiϕi ≥ q := q1Bπ1

ϕ1 + · · ·+ qnBπnϕn ≥ qq1Bπ1

ϕ1 ≥ q2Bπ2ϕ2 := q1Bπ1

ϕ1 + (−q2)Bπ2ϕ2 ≥ 0∑n

i=1 qiBπiϕi ≤ q :=∑ni=1(−qi)Bπiϕi ≥ (−q)∑n

i=1 qiBπiϕi < q := ¬(∑ni=1 qiBπiϕi ≥ q)∑n

i=1 qiBπiϕi > q := ¬(∑ni=1 qiBπiϕi ≤ q)∑n

i=1 qiBπiϕi = q := (∑ni=1 qiBπiϕi ≥ q) ∧ (

∑ni=1 qiBπiϕi ≤ q)∑n

i=1 qiBπiϕi 6= q := (∑ni=1 qiBπiϕi > q) ∨ (

∑ni=1 qiBπiϕi < q)

Bπϕ = Bπ′ϕ′ := 1Bπϕ− 1Bπ′ϕ

′ = 0Kϕ := Bεϕ = 1

Kϕ := ¬K¬ϕ〈a〉ϕ := ¬[a]¬ϕ〈a1 · · · an〉ϕ := 〈a1〉 · · · 〈an〉ϕLaMϕ := [a]ϕ ∧ 〈a〉ϕLa1 · · · anMϕ := La1M · · · LanMϕ[a1 · · · an]ϕ := [a1] · · · [an]ϕ

We call formula of the form∑ni=1 qiBπiϕi ./ q as probability formula, where ./ is one

of ≤,≥, <,>,=, 6=.

Let us explain how to read the formulas of the language. Propositional variablessuch as p express basic properties of a world, such as “the coin landed heads”. Then wehave standard negation and conjunction. We read formulas of the form [a]ϕ as “after allexecutions of action a it is the case that ϕ”. In order to read linear inequality formulasof the form q1Bπ1ϕ1 + · · · + qnBπnϕn ≥ q we first explain how to read Bπϕ. Theessential idea is that it represents the probability of getting ϕ using π. More precisely,it consists of two parts: the probability of ϕ given the successful execution of π, andthe probability of the successful execution of π. Roughly speaking, we have Bπϕ =Pr(ϕ | ex(π)) ·Pr(ex(π)). As will become more clear after introducing the semantics,Pr(ϕ | ex(π)) will be calculated in the updated model given the execution of π. In otherwords, Bπϕ is the non-normalized probability of ϕ in the model you get by executingπ. If π is not executable, this should be zero, and if it is executable it is the probabilityof ϕ in the updated model multiplied by the probability of the executability of π in orderto undo the normalization. Now the linear equality is where we take a sum of theseterms multiplied by rational numbers and compare this sum to a rational number. Thesemantics of Definition 2.2.9 will make this precise.

The language is interpreted on models which are in a sense probabilistic transitionsystems. There are two kinds of probabilistic elements in these models. There is a priorprobability distribution representing the initial uncertainty of the agent, and there is aprobability function which indicates for each state and each action that can be executed


at that state which probability one has of reaching some other state. There is one addi-tional difference between these models and the models that also appear in some of theCPP literature, namely that we allow actions to be unexecutable, and we allow the initialuncertainty only to be concerned with a strict subset of the set of all states.

Definition 2.2.2 (Model) A modelM is a tuple 〈SM, RM, P rM, IM, BM, VM〉 suchthat

• SM 6= ∅, a (finite) set of states;3

• RM ⊆ SM×Act×SM, a non-deterministic execution relation for each action;

• Pr : RM → Q+ is a probability function that expresses the probability thatan action will lead to another state, such that for all a ∈ Act it holds that∑t∈RMa (s) Pr

M(s, a, t) = 1;

• IM is a non-empty subset of SM, consisting of those states that the agent con-siders possible;

• BM : IM → Q+ is a probability distribution over states in IM expressing theprobability of being the true initial state such that

∑s′∈IM BM(s′) = 1;

• VM : P→ P(SM), a valuation function indicating for each propositional vari-able in which set of worlds it holds.

For each s ∈ IM, (M, s) is a pointed model.

GivenM, (s, a, t) ∈ RM is also denoted as s a−→ t, (s, t) ∈ RMa or t ∈ RMa (s).Before we provide the semantics, we first provide the notions needed to define how

models are updated by executing a sequence of actions, since we need those models tointerpret actions and probabilistic statements. First, we define the semantic structure thatis associated with a sequence of actions, called the set of execution paths.

Definition 2.2.3 GivenM, π = a1 · · · an, we call s0a1 · · · sn, which is an alternatingsequence of states and actions, an execution path of π inM if s0 ∈ IM and si−1

ai−→ sifor each 1 ≤ i ≤ n. If the action sequence is obvious, we also write the execution paths0a1 · · · sn as a sequence of states s0 · · · sn. The set of execution paths of π in M isdenoted as EPM(π).

After executing a sequence π, the probability the agent assigns to the states of themodel changes. Let IM|a be the set {t ∈ SM | s a−→ t for some s ∈ IM}, andIM|π = IM|a1 · · · |an where π = a1 · · · an. We use the following auxiliary notion toupdate this probability.

Definition 2.2.4 Given M and π = a1 · · · an ∈ Act∗, the function µMπ : IM|π →(0, 1] is defined as follows: for each t ∈ IM|π ,

µMπ (t) =∑

{s0···sn∈EPM(π)|sn=t}

(BM(s0)×Πni=1Pr

M(si−1, ai, si))

Given T ⊆ IM|π and π, let µMπ (T ) =∑t∈T µ

Mπ (t), especially, µMπ (∅) = 0.

3The restriction to a finite set of states is to make the presentation more simple. We could easily removethis restriction and use sigma-algebras and fully general probability theory, but this would only distract fromthe issues we are exploring in this chapter.


Intuitively, µMπ (t) stands for the agent’s belief degree of reaching t after the agentperforms π.

Remark 2.2.5 Similar to the forward algorithm for computing the probability of a par-ticular observable sequence in Hidden Markov Models (cf. e.g., Rabiner (1990)), wecan also compute µMπ (t) recursively by computing µMπ′ (t

′) for all the initial segmentsπ′ of π and the relevant states t′.

The updated probability of the agent applies to a possibly updated set of states thatthe agent considers possible. Now we define the updated probability of the agent.

Definition 2.2.6 GivenM and π = a1 · · · an ∈ Act∗ such that IM|π 6= ∅, functionBM|π : IM|π → Q is defined as follows: for each t ∈ IM|π ,

BM|π(t) =µMπ (t)

µMπ (IM|π)

Note that in this definition both the numerator and the denominator are non-zerogiven the way we set things up. Note that by assuming that IM|π is non-zero it fol-lows that EPM(π) is non-empty. Since we assumed that the probability functions inthe model only assign positive probabilities and that t is in IM|π , both numerator anddenominator are non-zero. More formally:

Proposition 2.2.7 Given M, π = a1 · · · an and I|π 6= ∅, we have that BM|π is aprobability function from IM|π to Q+ and

∑t∈IM|π B

M|π(t) = 1.

Given all these definitions, it is now easy to define the updated model.

Definition 2.2.8 Given modelM = 〈SM, RM, P rM, IM, BM, VM〉 and IM|π 6= ∅,modelM|π is defined as 〈SM, RM, P rM, IM|π, BM|π, VM〉.

We use this definition of an updated model in the semantics of actions and the linearinequalities of probabilities. The rest of the semantics is far more straightforward.

Definition 2.2.9 (Semantics) Given pointed model M, s, the truth relation is definedas follows:

M, s � p ⇐⇒ s ∈ VM(p)M, s � ¬ϕ ⇐⇒ M, s 2 ϕ

M, s � ϕ ∧ ψ ⇐⇒ M, s � ϕ andM, s � ψM, s � [a]ϕ ⇐⇒ for all s′ : s

a−→ s′ impliesM|a, s′ � ϕM, s �

∑ni=1 qiBπiϕi ≥ q ⇐⇒

∑ni=1 qiµ

Mπi (JϕiKM|

πi) ≥ q

where JϕKM|πi

= {s ∈ IM|πi | M|πi , s � ϕ}.

Remark 2.2.10 Note that if M, s is a pointed model, i.e., s ∈ IM, and s a−→ s′ thenM|a, s′ is also a pointed model, i.e., s′ ∈ IM|a = IM|

a

.

Proposition 2.2.11 The function µMπ is a non-normalized probability, and it has thefollowing properties:


(1) µMπ (JϕKM|π

) ≥ 0;

(2) µMπ (JϕKM|π

) + µMπ (J¬ϕKM|π

) = µMπ (J>KM|π

)

(3) µMε (J>KM) = 1

(4) µMπa(J>KM|πa

) = µMπ (J〈a〉>KM|π

)

PROOF Since JϕKM|π ⊆ IM|π , (1) is obvious by Definition 2.2.4. Since J¬ϕKM|

π

=IM|π \ JϕKM|

π

and J>KM|π

= IM|π , (2) is obvious by Definition 2.2.4. SinceµMε = BM, (3) is obvious. For (4), let π = a1 · · · an and an+1 = a then we havethe following:

µMπa(J>KM|πa

)

=µMπa(IM|πa)

=∑

s0···sn+1∈EPM(πa)

(BM(s0)×Πn+1i=1 Pr

M(si−1, ai, si))

=∑

{s0···sn∈EPM(π)|∃t:t∈RMa (sn)}

(BM(s0)×Πni=1Pr

M(si−1, ai, si)× (∑

t∈RMa (sn)

PrM(sn, a, t)))

=∑

{s0···sn∈EPM(π)|∃t:t∈RMa (sn)}

(BM(s0)×Πni=1Pr

M(si−1, ai, si))

=∑

{s0···sn∈EPM(π)|sn∈J〈a〉>KM|π}

(BM(s0)×Πni=1Pr

M(si−1, ai, si))

=µMπ (J〈a〉>KM|π

)

2

Proposition 2.2.12 Given π = a1 · · · an, we have that µMπ (J>KM|π

) = 1 if and only ifM, s � KLπM>.4

PROOF Let π(i) = a1 · · · ai for each 1 ≤ i ≤ n and π(0) = ε then it is easy to showthatM, s � KLπM> if and only ifM|π(i) , v � 〈ai+1〉> for each 0 ≤ i < n and eachv ∈ IM|π(i) .

From left to right: It follows by Proposition 2.2.11 that for each 0 ≤ i < n, we have

µMπ(i+1)(J>KM|

π(i+1)) = µMπ(i)

(J〈ai+1〉>KM|π(i)

) ≤ µMπ(i)(J>KM|

π(i)).

Since µMπ (J>KM|π

) = 1 and µMε (J>KM) = 1, it follows that µMπ(i)(J〈ai+1〉>KM|

π(i)) =

µMπ(i)(J>KM|

π(i)) for each 0 ≤ i < n. Assume thatM, s 2 KLπM> then it follows that

there are 0 ≤ j < n and v ∈ IM|π(j) such thatM, v 2 〈aj+1〉>. Since v ∈ IM|π(j) ,

4Please recall that La1 · · · anM> := La1M · · · LanM> and LaMϕ := 〈a〉ϕ ∧ [a]ϕ.


it follows by Definition 2.2.4 that µMπ(j)> 0. Thus, we have µMπ(j)

(J〈aj+1〉>KM|π(j)

) <

µMπ(j)(J>KM|

π(j)). Contradiction. Therefore, we haveM, s � KLπM>.

From right to left: We will show that µMπ(i)(J>KM|

π(i)) = 1 for each 0 ≤ i ≤ n by

induction on i. It is obvious if i = 0. If i = j+1 where 0 ≤ j < n, µMπ(j+1)= µMπ(j)aj+1

.It follows by Proposition 2.2.11 that we have the following:

µMπ(j)aj+1(J>KM|

π(j)aj+1

) = µMπ(j)(J〈aj+1〉>KM|

π(j))

µMπ(j)(J〈aj+1〉>KM|

π(j)) + µMπ(j)

(J¬〈aj+1〉>KM|π(j)

) = µMπ(j)(J>KM|

π(j))

It follows by IH that µMπ(j)(J>KM|

π(j)) = 1. Therefore, we only need to show that

µMπ(j)(J¬〈aj+1〉>KM|

π(j)) = 0. SinceM, s � KLπM>, namely, M|π(i) , v � 〈ai+1〉>

for each 0 ≤ i < n and each v ∈ IM|π(i) , we have J¬〈aj+1〉>KM|π(j)

= ∅. Thus,µMπ(j)

(J¬〈aj+1〉>KM|π(j)

) = 0. 2

Recall that [a]ϕ means that ϕ holds after executing a, and µMπi (JϕiKM|πi

) is theprobability of reaching ϕi by executing πi. We will show how the semantics works byworking through an example.

Example 2.2.13M

s1 : 0.5a:0.5 //

a:0.5

$$

s4 s7 p

s2 : 0.3

a:1

$$

s5

b:1

<<

s8 p

s3 : 0.2a:1 // s6 p

b:1

<<

M|a

s1a:0.5 //

a:0.5

$$

s4 : 0.25 s7 p

s2a:1

$$

s5 : 0.25

b:1 ::

s8 p

s3a:1 // s6 : 0.5 p

b:1 ::

1. M, s1 � BεLaM> = 1

2. M, s1 � [a]Bεp = 0.5

3. M, s1 � Bap = 0.5

4. M, s1 � BεLaMLbM> = 0.5

5. M, s1 � [ab]Bεp = 1

6. M, s1 � Babp = 0.75

1. This formula shows that initially action a is executable in the set I (where I is theset of worlds the agent considers possible, i.e. {s1, s2, s3} indicated by the dottedline). In this sense, the agent knows or is certain that a is executable.

2. This formula shows that after all executions of action a the agent assigns probab-ility 0.5 to the set of p-states (i.e. the singleton state s6).


3. This formula says that the agent assigns probability 0.5 to end up in a p-state bysuccessfully executing a. Remember this is the probability of the executability ofa that we found above (which was 1) multiplied with the conditional probabilityof p given that a was executed, which we also found above (which was 0.5). Ofcourse, the result is also 0.5.

4. This formula expresses that initially the sequence of actions a and then b is ex-ecutable with probability 0.5, because the formula is only true in s2 and s3.

5. This formula expresses that after a successful execution of the sequence ab it iscertain that p, because p is true in both s7 and s8.

6. This formula expresses that the probability of ending up in a p-state by success-fully executing ab is 0.75. In contrast to the formula in 4 we now also take intoaccount that s1, s5, s7 is an ab execution path.

We will use this logic as a tool to develop a framework for probabilistic conformantplanning, which we can now define in a precise way.

Definition 2.2.14 (Conformant Probabilistic planning) Given a model M, s, a goalformula ϕ, and a threshold δ, probabilistic conformant planning for ϕ overM, s w.r.t.δ is to find a linear plan π ∈ Act∗ such that M, s � Bπϕ ≥ δ, where π is called asolution to the probabilistic planning problem.

According to the above definition, to verify that π is a solution is to model checkBπϕ ≥ δ in the pointed model. In the above example, according to item 6, if δ ≤ 0.75then ab is a solution to the probabilistic planning problem for p overM, s1 w.r.t. δ.

Proposition 2.2.15 GivenM, s and ϕ, if δ = 1 then the probabilistic conformant plan-ning problem for a non-probabilistic ϕ over M, s w.r.t. δ is a standard conformantplanning problem for ϕ over M, s where the probabilities over the states and trans-itions do not matter, i.e.M, s � Bπϕ = 1 ⇐⇒ M, s � KLπMϕ.

PROOF We only need to show that µMπ (JϕKM|π

) = 1 if and only ifM, s � KLπMϕ.From left to right: Since JϕKM|

π ⊆ J>KM|π

, it follows that µMπ (J>KM|π

) ≥ 1.It follows by Proposition 2.2.11 that µMπ (J>KM|

π

) ≤ µMε (J>KM) = 1. Therefore,µMπ (J>KM|

π

) = 1. It follows by Proposition 2.2.12 that M, s � KLπM>. Thus, weonly need to show that J¬ϕKM|

π

= ∅. Since µMπ (JϕKM|π

) = µMπ (J>KM|π

) = 1, itfollows by Proposition 2.2.11 that µMπ (J¬ϕKM|

π

) = 0. Therefore, J¬ϕKM|π

= ∅.From right to left: Since M, s � KLπMϕ, we have that M, s � KLπM> and

J¬ϕKM|π

= ∅. It follows by Proposition 2.2.12 that µMπ (J>KM|π

) = 1. Since J¬ϕKM|π

=∅, we have µMπ (J¬ϕKM|

π

) = 0. It follows by Proposition 2.2.11 that µMπ (JϕKM|π

) = 1.2

Example 2.2.16 (The pill or surgery problem) Please consider the following scenario.There is a disease (let p signify that the agent has the disease), which the agent certainlyhas. There are two kinds of treatment available: surgery or pills. Surgery will very likelybe effective, but unfortunately surgery comes with the risk that unpleasant side-effectsmay occur (let q express that these side-effects occur). Pills will certainly work, but

2.3. A DEDUCTIVE SYSTEM 19

only for certain genotypes of agents. For agents with the wrong genotype, allergies willprevent the agent being able to swallow the pills. The agent believes with probability0.8 that she has the right genotype. If she has the right genotype, surgery will not beas likely to succeed as when she does not have the right genotype. Let’s say that if shehas the wrong genotype surgery will succeed without any side-effects with probability0.9 and have side-effects with probability 0.1. If she has the right genotype, surgerywill succeed without side-effects with probability 0.8 and will lead to side-effects withprobability 0.2. This situation is displayed below. Here, action b is having surgery, andaction c is taking pills. Note that not swallowing the pills means that action c is notexecutable (because the agent will not be able to really take the pills).

s1 : p0.2

b:0.1

{{b:0.9

))

s2 : p0.8

b:0.2uu

b:0.8

""

c

��s3 : q s4

Bb(¬p ∧ ¬q) = 0.8× 0.8 + 0.2× 0.9 = 0.82Bc(¬p ∧ ¬q) = 0.8

Suppose that the goal of the agent is to become healthy with no side-effects. Let’ssay that the threshold is 0.81. Which course of action is best? As is clear from thecalculation above, plan b, i.e. surgery, will yield the desired result with probability 0.82,whereas plan c will lead to the desired goal with probability 0.8, and so it is best for theagent to have surgery.

2.3 A deductive system

2.3.1 Axiom system SLCPPIn this section, we provide a Hilbert-style proof system for the logic presented above. Aproof consists of a sequence of formulas such that each formula is either an instance ofan axiom or it can be obtained by applying one of the rules to formulas occurring earlierin the sequence.

Definition 2.3.1 (SLCPP System) The axiom system SLCPP is shown in Table 2.1. Wewrite SLCPP ` ϕ (or sometimes just ` ϕ) to mean that the formula ϕ is derivable inthe axiomatic system SLCPP; the negation of SLCPP ` ϕ is written SLCPP 0 ϕ (orjust 0 ϕ). To say that a set D of formulas is SLCPP-inconsistent (or just inconsistent)means that there is a finite subsetD′ ⊆ D such that ` ¬

∧D′, where

∧D′ :=

∧ϕ∈D′ ϕ

if D′ 6= ∅ and∧ϕ∈∅ ϕ := >. To say that a set of formulas is SLCPP-consistent

(or just consistent) means that the set of formulas is not inconsistent. Consistency orinconsistency of a formula refers to the consistency or inconsistency of the singleton setcontaining the formula.

The linear inequality axioms can be found in Definition A.2.4 of Appendix A.2.1.Let us explain how the above axioms are to be read. We only focus on those involvingprobability. Axiom T expresses that truths are assigned a positive probability. This isbecause the empty sequence is always executable and we defined pointed models suchthat the state is always in IM, so it will always receive positive probability.


AXIOMSAll instances of propositional tautologiesAll instances of linear inequality axioms

DIST(a) [a](ϕ→ ψ)→ ([a]ϕ→ [a]ψ)T Kϕ→ ϕ

Nonneg(π) Bπϕ ≥ 0PRTR(ε) K>PRF(πa) Bπaϕ ≤ Bπ〈a〉ϕPRFEQ(πa) Bπ(〈a〉ϕ ∧ 〈a〉¬ϕ) = 0↔ Bπaϕ = Bπ〈a〉ϕAdd(π) Bπ(ϕ ∧ ψ) +Bπ(ϕ ∧ ¬ψ) = Bπϕ

ITSP (∑ni=1 qiBππ′iϕi ./ qBπ>)→ Bπ(

∑ni=1 qiBπ′iϕi ./ q) = Bπ>

CP 〈a〉> → ([a](∑ni=1 qiBπiϕi ./ q)↔

∑ni=1 qiBaπiϕi ./ qBa>)

DET 〈a〉ϕ→ [a]ϕ where ϕ is a probability formula

RULESMP From ϕ→ ψ and ϕ, infer ψGEN From ϕ, infer [a]ϕEquivalence From ϕ↔ ψ, infer Bπϕ = Bπψ

Table 2.1: System SLCPP(Please recall that ./ is one of ≤,≥, <,>,=, 6=.)

Axiom Nonneg(π) expresses that any formula receives a non-negative probability(since negative probabilities don’t make sense).

Axiom PRTR(ε) expresses that the set of states that the agent considers possible isassigned probability 1.

Axiom PRF(πa) expresses that the probability of those πa-execution paths leadingto ϕ states, is less than or equal to the probability of those π-execution paths leadingto states where a can lead to a ϕ state. This is because executing π may lead to a statewhere executing amay lead to a ϕ-state, but executing a could also lead to a non-ϕ-state.

Axiom PRFEQ(πa) expresses the condition under which the above probabilities areequal. This is the case if either all a-paths in π-reachable states lead to ϕ-states or ifall a-paths in π-reachable states lead to non-ϕ-states, or in other words whenever theprobability that executing a can lead to a ϕ-state and can lead to a non-ϕ-state is zero.

Axiom Add(π) expresses that probabilities are additive.Axiom ITSP is the combination of 4 and 5. Two simple forms of ITSP are the

following.Bεϕ ≥ q → Bε(Bεϕ ≥ q) = 1¬(Bεϕ ≥ q)→ Bε(Bεϕ < q) = 1

Axiom CP is essentially the definition of the update using normalization, given thata is executable. A simple form of CP is the following.

〈a〉> → ([a](Bεϕ ./ q)↔ Baϕ ./ qBa>)


Note that DET is not valid for arbitrary ψ. It is crucial that a is not deterministic forbasic facts.

Proposition 2.3.2 ` Bπ⊥ = 0

PROOF It follows by Axiom Add(π) that ` Bπ>+ Bπ⊥ = Bπ>, namely ` Bπ>+Bπ⊥ + (−1)Bπ> = 0. It follows by the axioms of linear inequality logic, addition ofcoefficients, that ` Bπ⊥+(0)Bπ> = 0. By the 0-term axiom of linear inequality logic,it follows that ` Bπ⊥ = 0. 2

Proposition 2.3.3 ` Bπϕ = Bπ> → Bπ¬ϕ = 0

PROOF It follows by Axiom Add(π) that ` Bπϕ + Bπ¬ϕ = Bπ>. Therefore, bylinear inequality logic, we have ` Bπϕ = Bπ> → Bπ¬ϕ = 0. 2

Proposition 2.3.4 If ` ψ ↔ χ then ` ϕ↔ ϕ(ψ/χ).

PROOF We prove it by induction on ϕ. We only focus on the case of∑ni=1 qiBπiϕi ≥

q; the other cases are straightforward.If ϕ :=

∑ni=1 qiBπiϕi ≥ q, it follows by IH that ` ϕi ↔ ϕi(ψ/χ) for each 1 ≤ i ≤

n. By Rule Equivalence presented in Table 2.1, we have that Bπiϕi = Bπiϕi(ψ/χ). Itfollows by linear inequality logic that ` ϕ↔

∑ni=1 qiBπiϕi(ψ/χ) ≥ q. 2

Proposition 2.3.5 If ` ϕ→ ψ then we have ` Bπϕ ≤ Bπψ.

PROOF It follows by ` ϕ→ ψ that ` ϕ ∨ ψ ↔ ψ. By the Equivalence rule, we have` Bπ(ϕ∨ψ) = Bπψ. It follows by Axiom Add(π) that ` Bπ((ϕ∨ψ)∧ϕ) +Bπ((ϕ∨ψ) ∧ ¬ϕ) = Bπ(ϕ ∨ ψ), and then ` Bπ((ϕ ∨ ψ) ∧ ϕ) + Bπ((ϕ ∨ ψ) ∧ ¬ϕ) = Bπψ.Since ` (ϕ ∨ ψ) ∧ ϕ ↔ ϕ, it follows ` Bπ((ϕ ∨ ψ) ∧ ϕ) = Bπϕ. Thus, wehave ` Bπϕ + Bπ((ϕ ∨ ψ) ∧ ¬ϕ) = Bπψ. It follows by Axiom Nonneg(π) that` Bπ((ϕ ∨ ψ) ∧ ¬ϕ) ≥ 0. Thus, we have ` Bπϕ ≤ Bπψ. 2

Proposition 2.3.6 ` Bπa> = Bπ〈a〉>

PROOF It follows by MP and GEN that ` 〈a〉⊥ ↔ ⊥. Thus we have ` (〈a〉> ∧〈a〉⊥) ↔ ⊥. It follows by rule Equivalence that Bπ(〈a〉> ∧ 〈a〉⊥) = Bπ⊥. It followsby Proposition 2.3.2 that Bπ(〈a〉> ∧ 〈a〉⊥) = 0. It follows by Axiom PRFEQ(πa) that` Bπa> = Bπ〈a〉>. 2

Proposition 2.3.7 ` Bπ(〈a〉ϕ ∧ 〈a〉¬ϕ) > 0↔ Bπaϕ < Bπ〈a〉ϕ

PROOF (1) ` Bπ(〈a〉ϕ ∧ 〈a〉¬ϕ) 6= 0↔ Bπaϕ 6= Bπ〈a〉ϕ by Axiom PRFEQ(πa)(2) ` Bπ(〈a〉ϕ ∧ 〈a〉¬ϕ) 6= 0↔ Bπ(〈a〉ϕ ∧ 〈a〉¬ϕ) > 0 by Axiom Nonneg(π)(3) Bπaϕ 6= Bπ〈a〉ϕ↔ Bπaϕ < Bπ〈a〉ϕ by Axiom PRF(πa)(4) ` Bπ(〈a〉ϕ ∧ 〈a〉¬ϕ) > 0↔ Bπaϕ < Bπ〈a〉ϕ by (1)-(3) 2


Proposition 2.3.8 ` [a](∑ni=1 qiBπiϕi ./ q∨ψ)↔ (

∑ni=1 qiBaπiϕi ./ qBa>)∨ [a]ψ

PROOF Firstly, to make the proof shorter, let χ :=∑ni=1 qiBπiϕi ./ q and χ′ :=∑n

i=1 qiBaπiϕi ./ q.⇒(1) ` [a](χ ∨ ψ) ∧ [a]¬χ→ [a]ψ by normal modal logic(2) ` 〈a〉χ→ 〈a〉> ∧ [a]χ by normal modal logic and Axiom DET

(3) ` 〈a〉> ∧ [a]χ→ χ′ by Axiom CP

(4) ` 〈a〉χ→ χ′ by (2), (3)(5) ` ¬χ′ → [a]¬χ by (4)(6) ` [a](χ ∨ ψ) ∧ ¬χ′ → [a]ψ by (1) and (5)(7) ` [a](χ ∨ ψ)→ χ′ ∨ [a]ψ by (7)⇐(1) ` [a]ψ → [a](χ ∨ ψ) by normal modal logic(2) ` χ′ → (〈a〉> → [a]χ) by Axiom CP

(3) ` χ′ → [a]⊥ ∨ [a]χ by (2)(4) ` [a]⊥ → [a]χ by normal modal logic(5) ` χ′ → [a]χ by (3) and (4)(6) ` χ′ → [a](χ ∨ ψ) by (5)(7) ` χ′ ∨ [a]ψ → [a](χ ∨ ψ) by (1) and (6) 2

Proposition 2.3.9 ` ¬(∑ni=1 qiBππ′iϕi ./ qBπ>)→ Bπ(

∑ni=1 qiBπ′iϕi ./ q) = 0

PROOF Let χ be the formula∑ni=1 qiBπ′iϕi ./ q, and let ./ denote >,<,≥,≤, 6= or

= if ./ is ≤,≥, <,>,=, or 6=, respectively. Please note that ¬χ :=∑ni=1 qiBπ′iϕi./q

and ¬(∑ni=1 qiBππ′iϕi ./ qBπ>) :=

∑ni=1 qiBππ′iϕi./qKπ>. Then, we have the

following:(1) ` ¬(

∑ni=1 qiBππ′iϕi ./ qBπ>)→ Bπ¬χ = Bπ>, by Axiom ITSP.

(2) ` Bπχ+Bπ¬χ = Bπ>, by Axiom Add(π)(3) ` Bπ¬χ = Bπ> → Bπχ = 0, by (2) and Linear Inequality Logic(4) ` ¬(

∑ni=1 qiBππ′iϕi ./ qBπ>)→ Bπχ = 0, by (1) and (3) 2

Proposition 2.3.10 ` Bπϕ = Bπ> → Bπ((ϕ ∨ ψ) ∧ χ) = Bπχ

PROOF (1) ` (Bπϕ ≤ Bπ(ϕ ∨ ψ)) ∧ (Bπ(ϕ ∨ ψ) ≤ Bπ>) by Proposition 2.3.6(2) ` Bπϕ = Bπ> → Bπ> ≤ Bπ(ϕ ∨ ψ) by (1) and linear inequality logic(3) ` Bπϕ = Bπ> → Bπ(ϕ ∨ ψ) = Bπ> by (1) and (2)(4) ` Bπ(ϕ ∨ ψ) +Bπ¬(ϕ ∨ ψ) = Bπ> by Axiom Add(π)(5) ` Bπ(ϕ ∨ ψ) = Bπ> → Bπ¬(ϕ ∨ ψ) = 0 by (4)(6) ` Bπ(¬(ϕ ∨ ψ) ∧ χ) ≤ Bπ¬(ϕ ∨ ψ) by Proposition 2.3.6(7) ` Bπ(ϕ ∨ ψ) = Bπ> → Bπ(¬(ϕ ∨ ψ) ∧ χ) ≤ 0 by (5) and (6)(8) ` Bπ(ϕ ∨ ψ) = Bπ> → Bπ(¬(ϕ ∨ ψ) ∧ χ) = 0 by (7) and Axiom Nonneg(π)(9) ` Bπ((ϕ ∨ ψ) ∧ χ) +Bπ(¬(ϕ ∨ ψ) ∧ χ) = Bπχ by Axiom Add(π)(10) ` Bπ(ϕ ∨ ψ) = Bπ> → Bπ((ϕ ∨ ψ) ∧ χ) = Bπχ by (8) and (9)(11) ` Bπϕ = Bπ> → Bπ((ϕ ∨ ψ) ∧ χ) = Bπχ by (3) and (10) 2


Proposition 2.3.11 ` Bπϕ = 0→ Bπ(ϕ ∧ χ) = 0

PROOF (1) ` Bπ(ϕ ∧ χ) ≤ Bπϕ by Proposition 2.3.6(2) ` Bπϕ = 0→ Bπ(ϕ ∧ χ) ≤ 0 by (1)(3) ` Bπϕ = 0→ Bπ(ϕ ∧ χ) = 0 by Axiom Nonneg(π) and (2) 2

Proposition 2.3.12 ` Bπϕ = 0→ Bπ((ϕ ∨ ψ) ∧ χ) = Bπ(ψ ∧ χ)

PROOF Let δ0 := ϕ ∧ χ and δ1 := ψ ∧ χ. We have the followings:(1) Bπ((ϕ ∨ ψ) ∧ χ) = Bπ(δ0 ∨ δ1) by Rule Equivalence(2) ` Bπϕ = 0→ Bπδ0 = 0 by Proposition 2.3.11(3) ` Bπδ1 = Bπ((δ0 ∨ δ1) ∧ δ1) by Rule Equivalence(4) ` Bπ(δ0 ∧ ¬δ1) = Bπ((δ0 ∨ δ1) ∧ ¬δ1) by Rule Equivalence(5) ` Bπδ0 = 0→ Bπ(δ0 ∧ ¬δ1) = 0 by Proposition 2.3.11(6) ` Bπϕ = 0→ Bπ(δ0 ∧ ¬δ1) = 0 by (2) and (5)(7) ` Bπϕ = 0→ Bπ((δ0 ∨ δ1) ∧ ¬δ1) = 0 by (4) and (6)(8) ` Bϕ((δ0 ∨ δ1) ∧ δ1) +Bπ((δ0 ∨ δ1) ∧ ¬δ1 = Bπ(δ0 ∨ δ1) by Axiom Add(π)(9) ` Bπϕ = 0→ Bπ(δ0 ∨ δ1) = Bπδ1 by (3), (7) and (8)(10) ` Bπϕ = 0→ Bπ((ϕ ∨ ψ) ∧ χ) = Bπδ1 by (1) and (9) 2

Proposition 2.3.13 Let T :=∑mj=1 qjBπjψj , δ0 :=

∑ni=1 q

′iBπ′iϕi ./1 q, and δ1 :=∑n

i=1 q′iBπ′iϕi ./1 qBπ>. We have ` q0Bπ((δ0 ∨ψ)∧χ) + T ≥ q ↔ (δ1 ∧ (q0Bπχ+

T ./2 q)) ∨ (¬δ1 ∧ (q0Bπ(ψ ∧ χ) + T ./2 q)).

PROOF (1) ` δ1 → Bπδ0 = Bπ> by Axiom ITSP

(2) ` Bπδ0 = Bπ> → Bπ((δ0 ∨ ψ) ∧ χ) = Bπχ by Proposition 2.3.10(3) ` δ1 → Bπ((δ0 ∨ ψ) ∧ χ) = Bπχ by (1) and (2)(4) ` ¬δ1 → Bπ¬δ0 = Bπ> by Axiom ITSP

(5) ` Bπ¬δ0 = Bπ> → Bπδ0 = 0 by Proposition 2.3.3(6) ` ¬δ1 → Bπδ0 = 0 by (4) and (5)(7) ` Bπδ0 = 0→ Bπ((δ0 ∨ ψ) ∧ χ) = Bπ(ψ ∧ χ) by Proposition 2.3.12(8) ` ¬δ1 → Bπ((δ0 ∨ ψ) ∧ χ) = Bπ(ψ ∧ χ) by (6) and (7)(9) ` q0Bπ((δ0 ∨ψ)∧χ) + T ./2 q ↔ (δ1 ∧ (q0Bπχ+ T ./2 q))∨ (¬δ1 ∧ (q0Bπ(ψ ∧χ) + T ./2 q)) by (3), (8) and linear inequality logic 2

Please note that the simplest version of Proposition 2.3.13 is

` Bε((ϕ ∨ ψ) ∧ χ) ./2 q ↔ (ϕ ∧Bεχ ./2 q) ∨ (¬ϕ ∧Bε(ψ ∧ χ) ./2 q)

where ϕ :=∑ni=1 qiϕi ./1 q. Therefore, we have the following proposition.

Proposition 2.3.14 If ψ :=∑ni=1 qiϕi ./1 q then we have

(i) ` Bε(ψ ∧ χ) ./2 q ↔ (ψ ∧Bεχ ./2 q) ∨ (¬ψ ∧Bε⊥ ./2 q)

(ii) ` Bε(ψ ∨ χ) ./2 q ↔ (ψ ∧Bε> ./2 q) ∨ (¬ψ ∧Bεχ ./2 q)

Proposition 2.3.15 ` Bπ〈a〉ϕ > 0→ Bπaϕ > 0


PROOF (1) ` Bπ〈a〉¬ϕ ≤ Bπ〈a〉> by Proposition 2.3.5 and ` 〈a〉¬ϕ→ 〈a〉>(2) ` Bπ〈a〉¬ϕ ≤ Bπa> by Proposition 2.3.6 and (1)(3) ` Bπ(〈a〉¬ϕ ∧ 〈a〉ϕ) > 0→ Bπa¬ϕ < Bπ〈a〉¬ϕ by Proposition 2.3.7(4) ` Bπ(〈a〉¬ϕ ∧ 〈a〉ϕ) > 0→ Bπa¬ϕ < Bπa> by (2) and (3)(5) ` Bπa¬ϕ < Bπa> → Bπaϕ > 0 by Add(πa): ` Bπaϕ+Bπa¬ϕ = Bπa>(6) ` Bπ(〈a〉¬ϕ ∧ 〈a〉ϕ) > 0→ Bπaϕ > 0 by (4) and (5)(7) ` Bπ(〈a〉¬ϕ ∧ 〈a〉ϕ) > 0→ (Bπ〈a〉ϕ > 0→ Bπaϕ > 0) by (6) and proposi-tional logic(8) ` Bπ〈a〉ϕ = Bπaϕ→ (Bπ〈a〉ϕ > 0→ Bπaϕ > 0) by linear inequality logic(9) ` Bπ(〈a〉¬ϕ ∧ 〈a〉ϕ) = 0 → (Bπ〈a〉ϕ > 0 → Bπaϕ > 0) by (8) and AxiomPRFEQ(πa)(10) ` Bπ(〈a〉¬ϕ ∧ 〈a〉ϕ) ≥ 0→ (Bπ〈a〉ϕ > 0→ Bπaϕ > 0) by (7) and (9)(11) ` Bπ〈a〉ϕ > 0→ Bπaϕ > 0 by (10) and Axiom Nonneg(πa) 2

Proposition 2.3.16 If ψ ∧ χ is inconsistent then ` Bπ(ψ ∨ χ) = Bπψ +Bπχ.

PROOF Since ψ ∧ χ is inconsistent, it follows that ` ψ ∧ χ ↔ ⊥, and then `(ψ∨χ)∧ϕ↔ ψ. It follows by Axiom Add(π) that ` Bπ(ψ∨χ)∧ψ+Bπ(ψ∨χ)∧¬ψ =Bπ(ψ ∨ χ). Since ` (ψ ∨ χ) ∧ ¬ψ ↔ χ, we have ` Bπψ +Bπχ = Bπ(ψ ∨ χ) 2

2.3.2 SoundnessIn this section we show that the axiomatization presented in the previous section is soundwith respect to the semantics provided in Section 2.2. Given that the logic is built onwell-understood modal logic, we will not show that the usual modal axioms and rulesare sound. Also the part of the axiomatization concerned with linear inequalities is well-understood and we do not show the soundness of that part either. Instead, we will focuson the axioms and rules that deal with the interplay between actions and probability.

The flowing shows that Axiom Nonneg(π) is valid.

Proposition 2.3.17 � Bπϕ ≥ 0

PROOF It follows by Definition 2.2.4 that µMπ (JϕKM|π

) ≥ 0 for each modelM. 2

The flowing shows that Axiom PRTR(ε) is valid.

Proposition 2.3.18 � K>

PROOF We only need to show that � Bε> = 1. Given a modelM, since J>KM =IM, it follows that µMε (J>KM) = 1. 2

In order to prove the soundness of PRF(πa), we first prove two auxiliary proposi-tions. The first is about the relation between probabilities in a model after an action andprobabilities preceding the action.

Proposition 2.3.19 Given model M and IM|π 6= ∅, we have µM|π

π′ (t) = µMππ′(t)/µMπ (IM|π) for each t ∈ SM.


PROOF

µM|ππ′ (t)

=∑

{s0···sn∈EPM|π (π′)|sn=t}

(BM|π

(s0)×Πni=1Pr

M|π (si−1, ai, si))

= 1/µMπ (IM|π)∑


(µMπ (s0)×Πni=1Pr

M|π (si−1, ai, si))

= 1/µMπ (IM|π)∑


( ∑{s′0···s′m∈EPM(π)|s′m=s0}

BM(s0)×Πni=1Pr

M(s′i−1, a′i, s′i)×Πn

i=1PrM|π (si−1, ai, si)

)= 1/µMπ (IM|π)

∑{u0···um+n∈EPM(ππ′)|um+n=t}

(µMπ (u0)×Πm+ni=1 PrM(si−1, ai, si))

= µMππ′(t)/µMπ (IM|π)

2

Using Proposition 2.3.19, we can prove the second auxiliary proposition that ex-presses that updating a model with a composed action is the same as updating the modelsequentially, first with the one component of the action, then the other component.

Proposition 2.3.20 Given modelM and IM|ππ′ 6= ∅, we haveM|π|π′ =M|ππ′ .

PROOF We only need to show that BM|π|π′

(t) = BM|ππ′

(t) for each t ∈ IM|ππ′ .

BM|π|π′

(t) =µM|ππ′ (t)

µM|ππ′ (IM|ππ′)

=µMππ′(t)/µ

Mπ (IM|π∑

s∈IM|ππ′ µMππ′(s)/µ

Mπ (IM|π)

by Proposition 2.3.19

=µMππ′(t)∑

s∈IM|ππ′ µMππ′(s)

= BM|ππ′

(t)

2

Using Proposition 2.3.20, we can show the soundness of PRF(πa).

Proposition 2.3.21 � Bπaϕ ≤ Bπ〈a〉ϕ.

PROOF Given modelM, we only need to show that µMπa(JϕKM|πa

) ≤ µMπ (J〈a〉ϕKM|π

).If IM|πa = ∅ then µMπa(JϕKM|

πa

) = 0. Since µMπ (J〈a〉ϕKM|π

) ≥ 0, it is obvious. IfIM|πa 6= ∅, we have that for each t ∈ JϕKM|

πa ⊆ IM|πa, there exists s ∈ IM|π suchthat s a−→ t. Moreover, it follows by Definition 2.2.4 that for each t ∈ IM|πa,

µMπa(t) =∑

{s∈IM|π|sa−→t}

µMπ (s)× PrM(s, a, t)


We then have the following:

µMπa(JϕKM|πa

)

=∑t∈JϕKM|πa µ

Mπa(t)

=∑t∈JϕKM|πa

(∑{s∈IM|π|s

a−→t} µMπ (s)× PrM(s, a, t)

)=

∑{s∈IM|π | ∃t∈JϕKM|πa :s

a−→t} µMπ (s)×

(∑t∈(JϕKM|πa∩RMa (s)) Pr

M(s, a, t))

≤∑{s∈IM|π | ∃t∈JϕKM|πa :s

a−→t} µMπ (s)

=∑{s∈IM|π | ∃t∈JϕKM|π|a :s

a−→t} µMπ (s) by Proposition 2.3.20

=∑s∈J〈a〉ϕKM|π µ

Mπ (s)

= µMπ (J〈a〉ϕKM|π

)

2

The soundness of this axiom is used in the proof of the soundness of PRFEQ(πa).

Proposition 2.3.22 � Bπ(〈a〉ϕ ∧ 〈a〉¬ϕ) = 0↔ Bπaϕ = Bπ〈a〉ϕ

PROOF Given a pointed modelM, s, we only need to show thatM, s � Bπ(〈a〉ϕ ∧〈a〉¬ϕ) = 0 iffM, s � Bπaϕ = Bπ〈a〉ϕ. This is obvious if IM|πa = ∅. Next, we onlyfocus on the case of IM|πa 6= ∅. We have the following:

M, s 2 Bπaϕ = Bπ〈a〉ϕ⇔µMπa(JϕKM|

πa

) < µMπ (J〈a〉ϕKM|π

) by Proposition 2.3.21

⇔there exists s′ ∈ IM|π such thatM|πa, t′ � ϕ for some t′ ∈ RMa (s) and( ∑t∈(JϕKMπa∩RMa (s))

PrM(s, a, t))< 1 by the proof of Proposition 2.3.21

⇔there exists s′ ∈ IM|π such thatM|πa, t′ � ϕ for some t′ ∈ RMa (s) and

M|πa, t 2 ϕ for some t ∈ RMa (s)

⇔there exists s′ ∈ IM|π such thatM|π, s � 〈a〉ϕ ∧ 〈a〉¬ϕ⇔µMπ (J〈a〉ϕ ∧ 〈a〉¬ϕKM|

π

) > 0

⇔M, s 2 Bπ(〈a〉ϕ ∧ 〈a〉¬ϕ) = 0

2

The next axiom for which we prove soundness is ITSP. This axiom is a scheme formany different formulas. We abstract from the (in)equality expressed. We call the ax-iom introspection, because it is closely related to the usual axioms 4 and 5 in epistemiclogic that express positive and negative introspection, respectively. Since an inequal-ity is a negation, this scheme captures both positive and negative introspection in ourprobabilistic setting.

Proposition 2.3.23 � (∑ni=1 qiBππ′iϕi ./ qBπ>) → Bπ(

∑ni=1 qiBπ′iϕi ./ q) =

Bπ>

2.4. COMPLETENESS 27

PROOF IfM, s �∑ni=1 qiBππ′iϕi ./ qBπ>, namely,

∑ni=1 qi · µMππ′(JϕiKM|

ππ′

) ./

q · µMπ (J>KM|π

), we need to showM, s � Bπ(∑ni=1 qiBπ′iϕi ./ q) = Bπ>, namely,

µMπ (J∑ni=1 qiBπ′iϕi ./ qK

M|π ) = µMπ (J>KM|π

). If IM|ππ′ = ∅, it is obvious.Next, we focus on the situation of IM|ππ′ 6= ∅. To show µMπ (J

∑ni=1 qiBπ′iϕi ./

qKM|π

) = µMπ (J>KM|π

), we only need to show that J∑ni=1 qiBπ′iϕi ./ qKM|

π

=

IM|π . By semantics, we only need to show∑ni=1 qi · µ

M|ππ′i

(JϕiKM|π|π′i ) ./ q. Since

IM|ππ′ 6= ∅, it follows by Propositions 2.3.20 and 2.3.19 that µM|π

π′ (JϕiKM|π|π′

) =

µMππ′(JϕiKM|ππ

′

)/µMπ (IM|π). Therefore, we have∑ni=1 qi · µ

M|ππ′i

(JϕiKM|π|π′i ) ./ q if

and only if∑ni=1 qi · µMππ′(JϕiKM|

ππ′

) ./ q · µMπ (J>KM|π

). 2

The last axiom for which we prove soundness is CP, an axiom about conditionalprobability. It expresses the relation between prior and posterior probability in our set-ting.

Proposition 2.3.24 � 〈a〉> → ([a](∑ni=1 qiBπiϕi ./ q)↔

∑ni=1 qiBaπiϕi ./ qBa>)

PROOF Given a pointed M, s � and s a−→ t for some t ∈ S, we need to showthat M, s � [a](

∑ni=1 qiBπiϕi ./ q) ↔

∑ni=1 qiBaπiϕi ./ qBa>. Since M, s �

[a](∑ni=1 qiBπiϕi ./ q) if and only ifM|a, t �

∑ni=1 qiBπiϕi ./ q. Thus, we only need

to showM|a, t �∑ni=1 qiBπiϕi ./ q if and only ifM, s �

∑ni=1 qiBaπiϕi ./ qBa>.

It is obvious if IM|aπi = ∅ for all 1 ≤ i ≤ n. Next we only focus on the case ofIM|aπi 6= ∅ for all 1 ≤ i ≤ n.

M|a, t �∑ni=1 qiBπiϕi ./ q

⇔∑ni=1 qiµ

M|aπi (JϕiKM|

a|πi ) ./ q

⇔∑ni=1 qiµ

M|aπi (JϕiKM|

aπi) ./ q by Proposition 2.3.20

⇔∑ni=1 qi/µ

Ma (IM|a) · µMaπi(JϕiK

M|aπi ) ./ q by Proposition 2.3.19

⇔∑ni=1 qiµ

Maπi(JϕiK

M|aπi ) ./ qµMa (IM|a) due to µMa (IM|a) > 0

⇔ M, s �∑ni=1 qiBaπiϕi ./ qBa>

2

Now we are ready to prove the soundness lemma, which can be proven by inductionon the length of the proof. We will leave the proof to the reader.

Theorem 2.3.25 (Soundness) For each formula ϕ, ` ϕ implies � ϕ.

2.4 CompletenessIn this section we show that the axiomatization presented in Section 2.3.1 is completewith respect to the semantics we presented in Section 2.2. One important strategy thathas been employed to prove completeness for dynamic epistemic logic is to use reduc-tion axioms (see for instance van Benthem et al. (2006)). Reduction axioms are a way


of relating what is the case after an announcement to what is the case before an an-nouncement. Unfortunately that strategy is not available here because the agent cannotknow beforehand what will be the case after an action without any information aboutthe model. We will, however, try to reduce the language to certain forms and provecompleteness with respect to this restricted language.

Our proof of the completeness for LCPP is divided into three steps: first, we reducethe language LLCPP to its subset LBLCPP; second, we define nonstandard models and showthat each formula ϕ ∈ LBLCPP is satisfiable in nonstandard models implies it is alsosatisfiable in standard models defined in Section 2.2; third, we construct a canonicalnonstandard model and show the truth lemma.

2.4.1 Normal formIn this subsection, we will show that each formula can be reduced to a certain form. Be-fore defining the language of that form, we first define the language without probability,which is the normal language of modal logic.

Definition 2.4.1 The language LB-FreeLCPP is defined as the following BNF:

ψ ::= p | ¬ψ | (ψ ∧ ψ) | [a]ψ

where p ∈ P and a ∈ Act.

With the language LB-FreeLCPP , we now define the language with special form.

Definition 2.4.2 The language LBLCPP is defined as the following BNF:

ϕ ::= ψ | q1Bπ1ψ + · · ·+ qnBπnψ ≥ q | ¬ϕ | (ϕ ∧ ϕ)

where ψ ∈ LB-FreeLCPP , πi ∈ Act∗, and q, qi ∈ Q for each 1 ≤ i ≤ n.

It is obvious thatLB-FreeLCPP ⊂ LBLCPP andLBLCPP ⊂ LLCPP. Please note that for each for-mula in LBLCPP the probability operator Bπ only appears outside a modal logic formula.In other words, there are no nesting occurrences between Bπ and Bπ , and between Bπand [a].

The rest of this subsection will show that each formula ϕ ∈ LLCPP can be reduced tobe equivalent to a formula ϕ′ ∈ LBLCPP. To make the proof easier, we first define a notionof conjunctive normal form in a similar way as it is defined in propositional logic.

Definition 2.4.3 (Conjunctive Normal Form) A formula ϕ ∈ LLCPP is in conjunctivenormal form if it is a conjunction of disjunctions of ‘literals’, where a ‘literal’ is aformula of the form p, ¬p, [a]ψ, ¬[a]ψ,

∑ni=1 qiBπiψi ≥ q or ¬(

∑ni=1 qiBπiψi ≥ q),

where ψ and ψi are also in normal form.

Since modal formulas and probability formulas are seen as propositional letters inconjunctive normal form, it is routine to show the following proposition.

Proposition 2.4.4 For each formula ϕ ∈ LLCPP, there exists a formula ϕ′ ∈ LLCPP suchthat ` ϕ↔ ϕ′ and ϕ′ is in conjunctive normal form.

Next, we define a notion which reflects a formula’s complexity on the depth of nest-ing between probability operator and action operator.


Definition 2.4.5 (Nesting Degree) Degree of a formula or an item is defined as follows.d(p) = 0d(¬ϕ) = d(ϕ)d(ϕ ∧ ψ) = max{d(ϕ), d(ψ)}

d([a]ϕ) =

{1 + d(ϕ) if a probability term occurs in ϕ0 else

d(∑ni=1 qiBπ′iϕi ≥ q) = max{d(Bπ′iϕi) | 1 ≤ i ≤ n}

d(Bπϕ) =

{1 + d(ϕ) if a probability term occurs in ϕ0 else

Please note that d(ϕ) = 0 for each ϕ ∈ LBLCPP. Moreover, for each ϕ ∈ LLCPP ifd(ϕ) = 0 then ϕ ∈ LBLCPP. Therefore, our task is to reduce ϕ ∈ LLCPP to a formula ϕ′

such that d(ϕ′) = 0. To make the proof shorter, we need the following two propositions.

Proposition 2.4.6 Given [a]ψ ∈ LLCPP and d([a]ψ) = 1, there exists a formula ϕ suchthat d(ϕ) = 0 and ` ϕ↔ [a]ψ.

PROOF Since d([a]ψ) = 1, ψ cannot be of the form [b]χ or ¬[b]χ. Without loss ofgenerality, we assumeψ is in conjunctive normal form and [a]ψ := [a](ψ1∨· · ·∨ψn∨ψ′)where d([a]ψ′) = 0 and for all 1 ≤ i ≤ n, ψi :=

∑inj=1 qijBπijχij ≥ qi and for all

1 ≤ j ≤ in, d(Bπijχij ) = 0. By induction on n, we will show that there exists aformula ϕ with d(ϕ) = 0 such that ` [a]ψ ↔ ϕ.

If n = 1, [a]ψ := [a](∑mj=1 qjBπjχj ≥ q ∨ ψ′). Let ϕ := (

∑mj=1 qjBaπjχj ≥

qBa>)∨ [a]ψ′ then we have d(ϕ) = 0. It follows by Proposition 2.3.8 that ` [a]ψ ↔ ϕ.If [a]ψ := [a](ψ1 ∨ · · · ∨ ψn+1 ∨ ψ′) where ψi :=

∑inj=1 qijBπijχij ≥ qi for each

1 ≤ i ≤ n+ 1. Let ϕ′ := (∑1nj=1 q1jBaπ1j

χ1j ≥ q1Ba>) ∨ [a](ψ2 ∨ · · · ∨ ψn+1 ∨ ψ′)then we have d(

∑1nj=1 q1jBaπ1j

χ1j ≥ q1Ba>) = 0. It follows by Proposition 2.3.8that ` [a]ψ ↔ ϕ′. By induction on n, it follows that there exists a formula ϕ′′ such thatd(ϕ′′ = 0) and ` ϕ′′ ↔ [a](ψ2 ∨ · · · ∨ ψn+1 ∨ ψ′). Let ϕ := (

∑1nj=1 q1jBaπ1j

χ1j ≥q1Ba>) ∨ ϕ′′ then we have d(ϕ) = 0. It follows by Proposition 2.3.4 that ` ϕ ↔ ϕ′.Since ` [a]ψ ↔ ϕ′, it follows that ` [a]ψ ↔ ϕ. 2

Proposition 2.4.7 Given ϕ ∈ LLCPP, ϕ :=∑ni=1 qiBπiϕi ≥ q, and d(ϕ) = 1, there

exists a formula ϕ′ such that d(ϕ′) = 0 and ` ϕ↔ ϕ′.

PROOF Without loss of generality, assume that each ϕi (1 ≤ i ≤ n) is in con-junctive normal form. Since d(ϕ) = 1, it follows that at least one ϕi has a probab-ility literal for some 1 ≤ i ≤ n. Assume that ϕ1 has a probability literal, namelyϕ1 := (

∑mj=1Bπ′jχ

′j ./ q

′ ∨ χ′′) ∧ χ′′′. Then ϕ is of the form q1Bπ1((∑mj=1Bπ′jχ

′j ./

q′ ∨ χ′′) ∧ χ′′′) +∑ni=2 qiBπiϕi ≥ q where d(Bπ′jχ

′j) = 0 for all 1 ≤ j ≤ m. Let

k be the number of occurrences of probability literals in ϕ1, · · · , ϕn. We prove it byinduction on k.

If k = 1, it follows that d(Bπ(χ′′ ∧ χ′′′)) = 0 and d(Bπiϕi) = 0 for all 2 ≤ i ≤ n.Letψ1 := q1Bπ1

χ′′′+∑ni=2Bπiϕi ≥ q andψ2 := q1Bπ1

(χ′′∧χ′′′)+∑ni=2Bπiχi ≥ q.

It follows that d(ψ1) = d(ψ2) = 0. Let ϕ′ := ((∑mj=1Bππ′jχ

′j ./ q

′Bπ>) ∧ ψ1) ∨


(¬(∑mj=1Bππ′jχ

′j ./ q

′Bπ>) ∧ ψ2). Since d(∑mj=1Bππ′jχ

′j ./ q

′Bπ>) = 0, it followsthat d(ϕ′) = 0. It follows by Proposition 2.3.13 that ` ϕ↔ ϕ′.

If k = h + 1 and h > 0, Let ψ1 := q1Bπ1χ′′′ +

∑ni=2Bπiϕi ≥ q and ψ2 :=

q1Bπ1(χ′′ ∧ χ′′′) +

∑ni=2Bπiχi ≥ q. It follows that d(ψ2) = 1 and the number of oc-

currences of probability literals in χ′′ ∧χ′′′, ϕ2, · · · , ϕn is h. It follows by IH that thereexists a formula ψ′2 such that d(ψ′2) = 0 and ` ψ2 ↔ ψ′2. If d(ψ1) = 1, it follows thatthe number of occurrences of probability literals in χ′′′, ϕ2, · · · , ϕn is less than or equalto h. It follows by IH that there exists a formula ψ′1 such that d(ψ′1) = 0 and ` ψ1 ↔ ψ′1.Let ϕ′′ := ((

∑mj=1Bππ′jχ

′j ./ q

′Bπ>)∧ψ1)∨ (¬(∑mj=1Bππ′jχ

′j ./ q

′Bπ>)∧ψ2) andϕ′ := ((

∑mj=1Bππ′jχ

′j ./ q

′Bπ>) ∧ ψ′1) ∨ (¬(∑mj=1Bππ′jχ

′j ./ q

′Bπ>) ∧ ψ′2). Sinced(∑mj=1Bππ′jχ

′j ./ q

′Bπ>) = 0, we have d(ϕ′) = 0. It follows by Proposition 2.3.13that ` ϕ ↔ ϕ′′. It follows by Proposition 2.3.4 that ` ϕ′ ↔ ϕ′′. Therefore, we have` ϕ↔ ϕ′. 2

Now, we are ready to prove the reduction proposition.

Proposition 2.4.8 (Reduction) For each formula ϕ ∈ LLCPP, there exists a formulaϕ′ ∈ LBLCPP such that ` ϕ↔ ϕ′.

PROOF We only need to show that there exists ϕ′ such that d(ϕ′) = 0 and ` ϕ↔ ϕ′.We prove this by induction on d(ϕ). It is obvious if d(ϕ) = 0. If d(ϕ) = n + 1,without loss of generality, we assume ϕ is in conjunctive normal form. It follows byProposition 2.3.4 that we only need to show that for each literal ψ in ϕ there existsa formula ψ′ such that ` ψ ↔ ψ′ and d(ψ′) = 0. By IH, this is straightforward ifd(ψ) = n. If d(ψ) = n + 1, ψ is of the form [a]ψ′, ¬[a]ψ′,

∑ni=1 qiBπiψ

′i ≥ q or

¬∑ni=1 qiBπiψ

′i ≥ q. We only focus on the case of [a]ψ′ and

∑ni=1 qiBπiψ

′i ≥ q; the

other cases are similar.If ψ := [a]ψ′ and d([a]ψ′) = n + 1, it follows that d(ψ′) = n. By IH, it follows

that there exists a formula χ′ such that ` ψ′ ↔ χ′ and d(χ′) = 0. Thus, we have` ψ ↔ [a]χ′ and d([a]χ′) ≤ 1. If d([a]χ′) = 1, it follows by Proposition 2.4.6 thatthere exists a formula χ such that ` χ↔ [a]χ′ and d(χ) = 0. It follows that ` ψ ↔ χ.

If ψ :=∑ni=1 qiBπiψ

′i ≥ q and d(ψ) = n + 1, it follows that d(ψ′i) ≤ n for

all 1 ≤ i ≤ n. By IH, it follows that for each ψ′i there exists a formula χ′i suchthat ` ψ′i ↔ χ′i and d(χ′i) = 0. It follows that ` ψ ↔

∑ni=1 qiBπiχ

′i ≥ q and

d(∑ni=1 qiBπiχ

′i ≥ q) ≤ 1. If d(

∑ni=1 qiBπiχ

′i ≥ q) = 1, it follows by Proposition

2.4.7 that there exists a formula χ such that `∑ni=1 qiBπiχ

′i ≥ q ↔ χ and d(χ) = 0.

It follows that ` ψ ↔ χ. 2

Due to the soundness of SLCPP, the above proposition also indicates that the ex-pressive power of the full language LLCPP is the same as its fragment LBLCPP. The rest ofthis chapter will focus on formulas in LBLCPP.

2.4.2 Nonstandard modelRecall the models and the semantics defined in Section 2.2. There are two kinds ofprobabilities in a model, and the probability representing the agent’s initial uncertaintyneeds to be updated in the semantics. These will cause too much troubles if we directlyconstruct the canonical model. Our strategy is working on alternative models, which


are defined below. To avoid confusion, we call the model and the semantics definedin Section 2.2 standard model and standard semantics. In this subsection, firstly wewill define nonstandard models and nonstandard semantics, then we will show that ifa formula ϕ ∈ LBLCPP is satisfiable in nonstandard models, then it is also satisfiable instandard models.

Definition 2.4.9 (Nonstandard Model) A nonstandard model, denoted as M, is a tupleM = 〈SM, RM, IM, {µM

π | π ∈ Act∗}, VM〉 such that

• SM 6= ∅ is a finite set of states,

• RM ⊆ SM ×Act× SM,

• IM is a non-empty subset of SM,

• µMπ : IM|π → [0, 1] is a function such that

1. µMε (IM) = 1 and µM

ε (s) > 0 for each s ∈ IM;

2. µMπa(IM|πa) = µM

π ({s ∈ IM|π | RMa (s) 6= ∅}) and µM

πa(s) > 0 for eachs ∈ IM|πa;

3. µMπa(E) ≤ µM

π ({s ∈ IM|π | ∃t ∈ E : sa−→ t}) for each E ⊆ IM|πa;

4. µMπa(E) < µM

π ({s ∈ IM|π | ∃t ∈ E : sa−→ t}) for each E ⊆ IM|πa such

that RMa (s) ∩ E 6= ∅ and RM

a (s) \ E 6= ∅ for some s ∈ IM|π;

• VM : P→ P(SM).

Please note that IM|π is defined in the same way as it is in Section 2.2. Thereare two differences between nonstandard models and standard models: first, there areno transition probabilities in nonstandard models; second, the functions µπ of standardmodels are calculated by two kinds of probabilities (see Definition 2.2.4) while theyare predefined in nonstandard models, but intuitively they are the same thing. The re-quirements of the functions µM

π of nonstandard models make sure that there are indeedtransition probabilities such that µM

π are calculated in the way shown in Definition 2.2.4.

Definition 2.4.10 (Nonstandard Semantics) Let M be a nonstandard model. Given astate s ∈ SM and a formula ψ ∈ LB-FreeLCPP , ψ being true at M, s, denoted as M, s, ψ,is defined the same as the standard semantics. Given s ∈ IM and ϕ ∈ LBLCPP, M, s, ϕis defined as follows:

M, s ¬ϕ ⇐⇒ M, s 1 ϕM, s (ϕ ∧ ψ) ⇐⇒ M, s ϕ and M, s ψ

M, s ∑ni=1 qiBπiϕi ≥ q ⇐⇒

∑ni=1 qiµ

Mπi (JϕiK

Mπi ) ≥ q

where JϕKMπi = {s ∈ IM|πi |M, s ϕ}.

Note that a probability formula is only evaluated on states in IM. Moreover, thereis no updating in nonstandard semantics. The reason is that in nonstandard semanticswe only care about formulas in LBLCPP. Formulas in LBLCPP cannot express the agent’suncertainty after she performs an action. Therefore, there is no need to update the model.

The following proposition is crucial, which shows that our strategy of working onnonstandard models does make sense.


Proposition 2.4.11 Given ϕ ∈ LBLCPP, if it is satisfiable in nonstandard models then itis also satisfiable in standard models.

PROOF Let M be a finite nonstandard model such that M, u ϕ where u ∈ IM. Weneed to show that there exists a standard pointed model in which ϕ is true. We only needto show the following claims.

The only differences between standard models and nonstandard models are probab-ilities. Recall Definition 2.2.4, and we know that in standard models, µa is calculated bythe probability B and the probability Pra. Since µε in nonstandard models is the sameas B in standard models, the first claim is to show that there exist such functions Prathat Pra is a probability distribution and that µa in nonstandard models coincides withµa which is calculated by this Pra and µε. The idea of the claim proof is that we list aset of inequalities based on the probability µa in nonstandard models and the conditionsthat Pra needs to satisfy, and then we show the inequality set is satisfiable by usingTheorem A.2.7.

Claim 2.4.11.1 Given πa ∈ Act∗, if IM|πa 6= ∅, there exists a function PrMπa :RMa |(IM|π×IM|πa) → Q+ such that

∑t∈RM

a (s) PrMπa(s, t) = 1 for each s ∈ IM|π

where a is executable at s, and that∑{s∈IM|π|t∈RM

a (s)} µMπ (s) · PrMπa(s, t) = µM

πa(t)

for each t ∈ IM|πa.

Proof of claim 2.4.11.1: Intuitively, PrMπa(s, t) represents the probability of reaching tby performing a in s. Let IM|π = {s1, · · · , sn, · · · , sn′} such that a is executable ateach si where 1 ≤ i ≤ n and a is unexecutable at each sj where n < j ≤ n′. LetIM|πa = {t1, · · · , tm} then the relation RM

a on IM|π× IM|πa can be roughly depictedas follows.

IM|π s1 sn· · · · · · sn′

IM|πa t1 · · · tm

We now describe a set of linear inequalities over variables of the form x(i,j) for(si, tj) ∈ RM

a |(IM|π×IM|πa). The variable x(i,j) represents µMπ (si) · PrMπa(si, tj). For

each (si, tj) ∈ RMa |(IM|π×IM|πa), to make sure PrMπa(si, tj) > 0, we only need to

request thatx(i,j) > 0. (2.1)

For each 1 ≤ i ≤ n, to make sure∑tj∈RM

a (si)PrMπa(si, tj) = 1, we only need to

request that ∑tj∈RM

a (si)

x(i,j) = µMπ (si). (2.2)

For each 1 ≤ j ≤ m, to make sure∑{si∈IM|π|tj∈RM

a (si)} µMπ (si) · PrMπa(si, tj) =


µMπa(tj), we only need to request that∑

{si∈IM|π|tj∈RMa (si)}

x(i,j) = µMπa(tj). (2.3)

Next, we only need to show that the set S of linear inequalities described in (2.1) to(2.3) has a solution. By Theorem A.2.7, we only need to show that∑

(si,tj)∈RMa |UM|π×UM|πa

0x(i,j) > 0 (2.4)

is not a possible legal linear combination of S. If possible, let µMπ (si) = ai and

µMπa(tj) = bj then there exists a scheme (cf. Definition A.2.6) of S as shown in Table 2.2

such that

u(i′,j′) > 0 for some (si′ , tj′) ∈ RMa |UM|π×UM|πa ; (2.5)

d(i,j) = u(i,j) + ri + wj = 0 for each (si, tj) ∈ RMa |UM|π×UM|πa ; (2.6)

d = −u0 + r1a1 + · · ·+ rnan + w1b1 + · · ·+ wmbm = 0 (2.7)

where ri = r′2i−1 − r′2i and wj = w′2j−1 − w′2j for all 1 ≤ i ≤ n and 1 ≤ j ≤ m.Let a group G be a minimal subset of IM|πa such that for each t ∈ G if s a−→ t

and s a−→ t′ for some s ∈ IM|π then t′ ∈ G. It is obvious that IM|πa can be di-vided into several such groups. Without loss of generality, assume one of these group is{t1, · · · , th}, and we will write it as {1, · · · , h} for abbreviation. For each j ∈ G, letDj = {1 ≤ i ≤ n | (si, tj) ∈ RM

a |UM|π×UM|πa}, which is the set of all the numbersi such that si ∈ IM|π and si

a−→ tj . For each i ∈ Dj , since d(i,j) = 0 and u(i,j) ≥ 0,it follows that wj ≤ −ri. Given j ∈ G, we use rwj to denote the maximal number in{ri | i ∈ Dj}. Since wj ≤ −ri for all i ∈ Dj , it follows that wj ≤ −rwj . Withoutloss of generality, we assume that rw1 ≤ · · · ≤ rwh . We use D1,j as an abbreviation forD1 ∪ · · · ∪Dj . It follows by Definition 2.4.9 that

∑i∈D1,h

ai = b1 + · · ·+ bh and that∑i∈D1,k

ai > b1 + · · ·+ bk for each k < h. We then have the following:

∑i∈D1,h

riai +∑hj=1 wjbj

≤∑i∈D1,h

riai +∑hj=1−rwj bj

≤ rw1(∑i∈D1

ai − b1) +∑i∈D1,h\D1

riai +∑hj=2−rwj bj

≤ rw2(∑i∈D1,2

ai − b1 − b2) +∑i∈D1,h\D1,2

riai +∑mj=3−rwj bj

··································································································

≤ rwh · (∑i∈D1,h

ai +∑hj=1−bj)

= 0

(2.8)

For the reason why for each 1 ≤ k < h,rwk(

∑i∈D1,k

ai +∑kj=1−bj) +

∑i∈D1,h\D1,k

riai +∑hj=k+1−rwj bj

≤ rwk+1(∑i∈D1,(k+1)

ai +∑k+1j=1 −bj) +

∑i∈D1,h\D1,(k+1)



u0 ≥ 0 :∑

(si,tj)∈RMa |UM|π×UM|πa

0x(i,j) > −1 (0, 0)

u(1,1) ≥ 0 : x(1,1) > 0 (1, 1)

··························································································u(i,j) ≥ 0 : x(i,j) > 0 (i, j)

r′1 ≥ 0 :∑tj∈RM

a (s1) x(1,j) ≥ a1 (1,+)

r′2 ≥ 0 :∑tj∈RM

a (s1)−x(1,j) ≥ −a1 (1,−)

··························································································r′2n−1 ≥ 0 :

∑tj∈RM

a (sn) x(n,j) ≥ an (n,+)

r′2n ≥ 0 :∑tj∈RM

a (sn)−x(n,j) ≥ −an (n,−)

w′1 ≥ 0 :∑{si∈IM|π|t1∈RM

a (si)} x(i,1) ≥ b1 (+, 1)

w′2 ≥ 0 :∑{si∈IM|π|t1∈RM

a (si)}−x(i,1) ≥ −b1 (−, 1)

··························································································w′2m−1 ≥ 0 :

∑{si∈IM|π|tm∈RM

a (si)} x(i,m) ≥ bm (+,m)

w′2m ≥ 0 :∑{si∈IM|π|tm∈RM

a (si)}−x(i,m) ≥ −bm (−,m)

d(1,1)x(1,1) + · · ·+ d(i,j)x(i,j) > d (0).

Table 2.2: Scheme(Scheme is a systematical way to get a logical consequence of a set of inequalities (cf. A.2.6). Inthis table, the inequality (0) is a logical consequence of all the inequalities above the line providedthat some u(i′,j′) is positive. Each of (0, 0) ... (−,m) stands for an inequality. For example, (1, 1)stands for u(1,1) · x(1,1) > u(1,1) · 0 where u(1,1) is a non-negative coefficient. The inequality(0, 0) is based on 0 > −1; each of (1, 1) to (i, j) is based on the inequality (2.1); the inequalities(1,+) and (1,−) are based on the equation (2.2); the inequalities (+, 1) and (−, 1) are based onthe equation (2.3).)


we have the following.

rwk(∑i∈D1,k

ai +∑kj=1−bj) +

∑i∈D1,h\D1,k


≤ rwk(∑i∈D1,k

ai +∑kj=1−bj) + rwk+1

∑i∈Dk+1\D1,k

ai

+∑i∈D1,h\D1,(k+1)


≤ rwk+1(∑i∈D1,k

ai +∑kj=1−bj) + rwk+1

∑i∈Dk+1\D1,k

ai

+∑i∈D1,h\D1,(k+1)

riai +∑mj=k+1−rwj bj

= rwk+1(∑i∈D1,(k+1)

ai +∑k+1j=1 −bj) +

∑i∈D1,h\D1,(k+1)

riai

+∑hj=k+2−rwj bj

(2.9)

Because of the property of group, it follows that ifG andG′ are two different groups,and t ∈ G, t′ ∈ G′ then Dt ∩ Dt′ = ∅. Assuming IM|πa is divided into l groups, itfollows that

d = −u0 +∑

1≤k≤l

(∑i∈DGk

riai +∑j∈Gk

wjbj) (2.10)

Since d = 0, −u0 ≤ 0 and∑i∈DG riai +

∑j∈G wjbj ≤ 0 for each group G, it follows

that u0 = 0 and∑i∈DG riai +

∑j∈G wjbj = 0. It follows that each inequality of (2.8)

or (2.9) equals 0, especially,∑i∈DG

riai +∑j∈G

wjbj =∑i∈DG

riai +∑j∈G−rwj bj = 0. (2.11)

Moreover, by (2.9), we have that for each 1 ≤ k < h,

rwk(∑i∈D1,k

ai +

k∑j=1

−bj) = rwk+1(∑i∈D1,k

ai +

k∑j=1

−bj), (2.12)

∑i∈Dk+1\D1,k

riai = rwk+1

∑i∈Dk+1\D1,k

ai. (2.13)

Since∑i∈D1,k

ai +∑kj=1−bj > 0, it follows by (2.12) that rwk = rwk+1

for each1 ≤ k < h. Next, we will show that for each 1 ≤ k ≤ h, namely tk ∈ G, i ∈ Dk

implies ri = rwk . For the case of k = 1, it is obvious from (2.8). For the case of k + 1,if i ∈ Dk+1 \D1,k, it is obvious from (2.13). If i 6∈ Dk+1 \D1,k, it follow by IH thatri = rwk′ for some k′ ≤ k. Since rwk = rwk+1

for all 1 ≤ k < h, it follows that r, itfollows that ri = rwk+1

.By (2.5), we have known that u(i′,j′) > 0. Since ri = ri′ and d(i,j′) = u(i,j′) + ri +

wj′ = 0 for all i ∈ Dj′ , it follows that u(i,j′) = ui′,j′ for all i ∈ Dj′ . Since u(i′,j′) > 0,it follows that rwj′ + wj′ < 0, namely wj′ < −rwj′ . Thus, for the group G such thatj′ ∈ G, we have the following∑

i∈DG

riai +∑j∈G

wjbj <∑i∈DG

riai +∑j∈G−rwj bj .


This is in contradiction with (2.11). Therefore, (2.4) cannot be a legal linear combinationof S, and it follows by Theorem A.2.7 that S has a solution.

Therefore, there exists a function PrMπa on RMa |(IM|π×IM|πa) which is defined as

PrMπa(si, tj) = x(i,j)/µMπ (si) for each (si, tj) ∈ RM

a |(IM|π×IM|πa). It follows from(2.1) to (2.3) that PrMπa : RM

a |(IM|π×IM|πa) → Q+ such that∑t∈RM

a (s) PrMπa(s, t) = 1

for each s ∈ IM|π where a is executable at s, and that∑{s∈IM|π|t∈RM

a (s)} µMπ (s) ·

PrMπa(s, t) = µMπa(t) for each t ∈ IM|πa. �

Please recall that an execution path σ ∈ EPM(a1 · · · an) is an alternating sequenceof states and actions, s0a1 · · · sn, where s0 ∈ IM and si−1

ai−→ si for each 1 ≤ i ≤ n(see Definition 2.2.3). Given σ := s0a1 · · · sn, we use T (σ) to denote the last statesn and ρ(σ) to the action sequence a1 · · · an. Given t ∈ IM|π , let [σ]πt denot the set{σ ∈ EPM(π) | T (σ) = t}, which is the set of π-executions leading to t.

Next, we construct a standard model based on the execution paths of M. The stand-ard model M• is defined as follows.

SM• = {σ ∈ EPM(π) | π ∈ Act∗}RM• = {(σ, a, σ′) | a ∈ Act|ϕ, σ′ = σat}PrM

•(σ, a, σat) = PrMρ(σ)a(T (σ), t)

IM•

= IM

BM• = µMε

VM•(p) = {σ | T (σ) ∈ VM(p)}

where PrMρ(σ)a is the function which is shown in Claim 2.4.11.1.

Claim 2.4.11.2 For each π ∈ Act∗ and each t ∈ IM|π , we have µM•

π ([σ]πt ) = µMπ (t).

Proof of claim 2.4.11.2: By the definition of M•, it is obvious that σ ∈ IM• |π iff T (σ) ∈IM|π for each σ ∈ SM• . By induction on π we will show that µM•

π ([σ]πt ) = µMπ (t). It

is obvious for the case of ε. For the case of πa, we have the following.

µM•

πa ([σat]πat ) = µM•

πa ({σ′at | s ∈ IM|π, t ∈ RMa (s), σ′ ∈ [σ]πs })

=∑

{s∈IM|π|t∈RMa (s)}

∑σ′∈[σ]πs

µM•

πa (σ′at)

=∑


∑σ′∈[σ]πs

µM•

π (σ′) · PrM•(σ′, a, σ′at)

=∑


∑σ′∈[σ]πs

µM•

π (σ′) · PrMπa(s, t)

=∑


PrMπa(s, t)∑

σ′∈[σ]πs

µM•

π (σ′)

=∑


PrMπa(s, t) · µMπ (s) (by IH)

= µMπa(t) (by Claim 2.4.11.1)

Therefore, we have shown that µM•

π ([σ]πt ) = µMπ (t) for each t ∈ IM|π . �


Claim 2.4.11.3 Given ψ ∈ LB-FreeLCPP , σ ∈ SM• , and π ∈ Act∗, if σ ∈ IM• |π , we haveM•|π, σ � ψ iff M, T (σ) ψ.

Proof of claim 2.4.11.3: It is easy to show by induction on ψ. �

Claim 2.4.11.4 For each formula ψ ∈ LBLCPP and each s ∈ IM• , we have M•, s � ψ iffM, s ψ.

Proof of claim 2.4.11.4: We prove it by induction on ψ. For the case of ψ ∈ LB-FreeLCPP , thishas been shown in Claim 2.4.11.3. We only focus on the cases of

∑ni=1 qiBπiψi ≥ q;

the other cases are straightforward.For the case of ψ :=

∑ni=1 qiBπiψi ≥ q, we only need to show µM

πi (JψiKMπi ) =

µM•

πi (JψiKM•|πi ). Please note that there is no probability formula occurring in ψi since

d(ϕ) = 0. We have the following.

µMπi (JψiK

Mπi ) =

∑{t∈IM|πi |M,t ψi}

µMπi (t)

=∑

{t∈IM|πi |M,t ψi}

µM•

πi ([σ]πit ) (by Claim 2.4.11.2)

=∑

t∈IM|πi

∑{σ′∈[σ]

πit |M,t ψi}

µM•

πi (σ′)

=∑

t∈IM|πi

∑{σ′∈[σ]

πit |M•|πi ,σ′�ψi}

µM•

πi (σ′) (by Claim 2.4.11.3)

=∑

{σ∈IM• |πi |M•|πi ,σ�ψi}

µM•

πi (σ)

= µM•

πi (JψiKM•|πi )

�2

2.4.3 Canonical nonstandard model

Up to now, we have shown that each ϕ ∈ LLCPP can be reduced to a formula ϕ′ ∈ LBLCPP(Proposition 2.4.8) and if a formula ϕ′ ∈ LBLCPP is satisfiable in nonstandard models, itis satisfiable in standard models (Proposition 2.4.11). To show that SLCPP is completewith respect to standard models, we only need to show that each SLCPP-consistentformula ϕ ∈ LBLCPP is satisfiable in nonstandard models.

Let ϕ ∈ LBLCPP be consistent. Next, we will construct a canonical nonstandard modelfor ϕ and show the truth lemma. The canonical model will be built by levels, and thenumber of its levels will be bounded by the modal depth of ϕ. The notion of modaldepth is defined in the following.


Definition 2.4.12 (Modal Depth) The modal depth of a formula ψ ∈ LLCPP, denotedas md(ϕ), is defined as follows.

md(p) = 0md(¬ψ) = md(ψ)md(ψ ∧ ψ′) = max{md(ψ),md(ψ′)}md([a]ψ) = 1 +md(ψ)md(

∑ni=1 qiBπiψi ≥ q) = max{|πi|+md(ψi) | 1 ≤ i ≤ n}

where |πi| is the length of the sequence πi.

Here are some notions before we construct the model for ϕ. We use Act|ϕ to denotethe set of actions occurring in ϕ, and (Act|ϕ)n to denote the set of sequences whoselength is no bigger than n and whose actions are in Act|ϕ. If s is a finite set of formulas,we use ϕs to denote

∧ψ∈s ψ. Let ∼ψ = χ if ψ = ¬χ, otherwise, ∼ψ = ¬ψ. It is

obvious that ` ¬ψ ↔ ∼ψ. We use Sub+(ϕ) to denote the set Sub(ϕ) ∪ {∼ψ | ψ ∈Sub(ϕ)}, where Sub(ϕ) is the set of all subformulas of ϕ.

Let md(ϕ) = h. Next, we will define the canonical nonstandard model for ϕ. Notethat it is no harm to assume h > 0 since ` ϕ↔ ϕ ∧ [a]>.

Definition 2.4.13 Γϕk and Atomϕk (where 0 ≤ k ≤ h) are defined as follows.

• k = h

– Γϕh = {ψ ∈ sub+(ϕ) | md(ψ) = 0, ψ ∈ LB-FreeLCPP };– Atomϕ

h = {s | s is a maximally consistent subset of Γϕ0 };

• k < h but k > 0

– Γϕk = {ψ ∈ sub+(ϕ) | md(ψ) ≤ h− k, ψ ∈ LB-FreeLCPP }∪ {sub+(〈a〉ϕs) | a ∈ (Act|ϕ), s ∈ Atomϕ

k+1};– Atomϕ

k = {s | s is a maximally consistent subset of Γϕk };

• k = 0

– Γϕ0 = sub+(ϕ)∪{sub+(Bε(ψ1∧ · · ·∧ψj) ≥ 0) | ψ1, · · · , ψj ∈ sub+(ϕ)∩LB-FreeLCPP }∪ {sub+(Bε〈π〉ϕs ≤ 0) | s ∈ Atomϕ

k , π ∈ (Act|ϕ)k, 1 ≤ k ≤ h};– Atomϕ

0 = {s | s is a maximally consistent subset of Γϕh}

By induction on k, it is easy to show that all Γϕk and allAtomϕk are finite. Since each

Atomϕk is the set of all maximally consistent subset of Γϕk , we have the following two

propositions.

Proposition 2.4.14 For each 0 ≤ k ≤ h, we have `∨s∈Atomϕk

ϕs

Proposition 2.4.15 For each ψ ∈ Γϕk , we have ` ψ ↔∨{s∈Atomϕk |ψ∈s}

ϕs

Let u be a set in Atomϕh such that ϕ ∈ u. Please note it follows by Lindenbaum’s

lemma that such a set u exists.


Definition 2.4.16 (Canonical Nonstandard Model) The canonical model Mϕu is defined

as follows:

• SMϕu = {(s, k) | s ∈ Atomϕ

k , 0 ≤ k ≤ h}

• RMϕu = {((s, k), a, (t, k + 1)) | ϕs ∧ 〈a〉ϕt is consistent, a ∈ Act|ϕ}

• IMϕu = {(s, 0) | s and u contain the same probability literals}

• VMϕu (p) = {(s, k) | p ∈ s} for each p ∈ sub+(ϕ)

• µMϕu

π is defined latter.

where a probability literal is a formula of the form∑ni=1 qiψi ≤ q or ¬(

∑ni=1 qiψi ≤

q).

Proposition 2.4.17 For each (s, k) ∈ SMϕu and 〈a〉ψ ∈ sub+(ϕ), 〈a〉ψ ∈ s iff there

exists (t, k + 1) ∈ SMϕu such that ψ ∈ t and (s, k)

a−→ (t, k + 1).

PROOF We leave the proof of left-to-right to the reader. Please note that it follows bythe definition that k < h since 〈a〉ψ ∈ s and s ∈ Atomϕ

k . Assume that 〈a〉ψ ∈ s andthat there does not exist (t, k + 1) ∈ SMϕ

u such that ψ ∈ t and (s, k)a−→ (t, k + 1).

It follows that for all t ∈ Atomϕk+1: if ψ ∈ t then ϕs ` [a]¬ϕt. Let t1, · · · , tn be all

the sets in Atomϕk+1 such that ψ is a member of them. It follows by Proposition 2.4.15

that ` ψ ↔ ϕt1 ∨ · · · ∨ ϕtn . Moreover, since ` ϕs → ([a]¬ϕt1 ∧ · · · ∧ [a]ϕtn), itis easy to show that ` ϕs → [a]¬ψ. This is in contradiction with 〈a〉ψ ∈ s and theassumption that s is consistent. Therefore, we have shown if 〈a〉ψ ∈ s then there exists(t, k + 1) ∈ SMϕ

u such that ψ ∈ t and (s, k)a−→ (t, k + 1). 2

With the proposition above, we have the following proposition immediately, whichis the “truth lemma” for formulas in LB-FreeLCPP .

Proposition 2.4.18 For each ψ ∈ sub+(ϕ)∩LB-FreeLCPP and each (s, k) ∈ SMϕu , we have

Mϕu , (s, k) ψ iff ψ ∈ s.

Next, we will focus on the probability formulas. We will show that there exist func-tions µMϕ

uπ to make sure the probability formulas are true.

Proposition 2.4.19 Given (s, k) ∈ SMϕu and π ∈ (Act|ϕ)k, (s, k) ∈ IMϕ

u |π implies` ϕu → Bπϕs > 0.

PROOF For the case of k = 0 and π := ε, let ψ ∈ s be a probability literal, and letχ := ∧(s \ {ψ}). By Proposition 2.3.14 and Proposition 2.3.2, it is easy to show that` Bεϕs ≤ 0 ↔ ¬ψ ∨ Bεχ ≤ 0. Since (s, 0) ∈ IM

ϕu , it follows that ` ϕu → ψ.

Thus, we have ` ϕu ∧ Bεϕs ≤ 0 → Bεχ ≤ 0. Since ` ϕs → χ, it follows byAxiom T that ` ϕs → Bεχ > 0. By Definition 2.4.13, it follows that Bεχ > 0 ∈ Γϕ0 .Thus, we have Bεχ > 0 ∈ s, and consequently Bεχ > 0 ∈ u. Therefore, we have` ϕu ∧Bεϕs ≤ 0→ ⊥, and consequently ` ϕu → Bεϕs > 0.

For the case of k + 1 and πa, it follows by (s, k + 1) ∈ IMϕu |πa that there exists

(w, 0) ∈ IMϕu such that (w, 0)

πa−−→ (s, k + 1). According to Proposition 2.3.15, byinduction on π, it is easy to show that ` Bε〈πa〉ψ > 0 → Bπaψ > 0. Since w and u


share the same probability formulas and Bε〈πa〉ϕs > 0 ∈ Γϕ0 , by Axioms T, we onlyneed to show that 〈πa〉ϕs ∈ w. Next we will show it by induction on π. It is obviousfor the case of a. For the case of πa, we have that (w, 0)

π−→ (w′, k)a−→ (s, k + 1)

for some (w′, k) ∈ SMϕu . It follows by induction on π that 〈π〉ϕw′ ∈ w. Moreover,

since 〈a〉ϕs ∈ w′, we have ` ϕw → 〈π〉ϕw′ and ` ϕw′ → 〈a〉ϕs. Therefore, we have` ϕw → 〈πa〉ϕs, and consequently 〈πa〉ϕs ∈ w. 2

Proposition 2.4.20 If Bεψ > 0 ∈ u then there exists (s, 0) ∈ IMϕu such that ψ ∈ s.

PROOF Let D be the set of all the probability literals in u. We then only need toshow that D ∪ {ψ} is consistent. If it is not, we have ` ϕD → ¬ψ. It followsby Axiom PRTR(ε) that Bε(¬ϕD ∨ ¬ψ) = 1. It follows by Proposition 2.3.14 that` ¬ϕD ∨ Bε¬ψ = 1. Since ` ϕu → ϕD, we have ` ϕu → Bε¬ψ = 1. By AxiomsPRTR(ε) and Proposition 2.3.3, it follows that ` ϕu → Bεψ = 0. This is in contradic-tion with Bεψ > 0 ∈ u. Therefore, D ∪ {ψ} is consistent. 2

Proposition 2.4.21 If 〈π〉ψ ∈ s for some (s, 0) ∈ SMϕu , there exists (t, |π|) ∈ SMϕ

u

such that (s, 0)π−→ (t, |π|) and ψ is consistent with t.

PROOF We prove it by induction on π. It is obvious if π := ε. If it is πa, it follows byinduction on π that there exists (s′, |π|) ∈ SMϕ

u such that (s, 0)π−→ (s′, |π|) and 〈a〉ψ is

consistent with s′. Next, we only need to show that there exists (t, |πa|) ∈ SMϕu such

that (s′, |π|) a−→ (t, |πa|) and ψ is consistent with t.We construct an appropriate t ∈ Atomϕ

|πa| by forcing choices. Enumerate the for-mulas in Γϕ|πa| as χ1, · · · , χm. Define D0 to be {ψ}. Then ϕs′ ∧ 〈a〉ϕD0 is consistent.Suppose that Dj is a formula set such that ϕs′ ∧〈a〉ϕDj is consistent where 0 ≤ j ≤ m.Therefore,either for D′ = Dj ∪ {χj+1} or for D′ = Dj ∪ {¬χj+1} we have thatϕs′ ∧ 〈a〉ϕD′ is consistent. Choose Dj+1 to this consistent expansion, and let t beDm ∩ Γϕ|πa|. Thus, we have t ∈ Atomϕ

|πa|, ϕs′ ∧ 〈a〉ϕt is consistent and t is consistent

with ψ. Therefore, we have (s′, |π|) a−→ (t, |πa|) and (s, 0)πa−−→ (t, |πa|). 2

Proposition 2.4.22 Given (s, k) ∈ SMϕu and π ∈ (Act|ϕ)k, (s, k) 6∈ IMϕ

u |π implies` ϕu → Bπϕs = 0.

PROOF For the case of k = 0 and π := ε, without loss of generality, assuming¬ψ ∈ u and ψ ∈ s for some probability literal ψ ∈ Γϕ0 . Let χ := ∧(s \ {ψ}). ByProposition 2.3.14, it follows that ` Bεϕs > 0 ↔ ψ ∧ Bεχ > 0. Therefore, we have` ϕu ∧ Bεϕs > 0 → ⊥, and consequently ` ϕu → Bεϕs ≤ 0. It follows by AxiomNonneg(ε) that ` ϕu → Bεϕs = 0.

For the case of k + 1 and πa, by Axiom Nonneg(ε), we only need to show `ϕu → Bπaϕs ≤ 0. If ϕu ∧ Bπaϕs > 0 is consistent, it follows by Axiom PRF(πa)that ϕu ∧ Bε〈πa〉ϕs > 0 is consistent. Since Bε〈πa〉ϕs > 0 ∈ Γϕ0 , it follows thatBε〈πa〉ϕs > 0 ∈ u. It follows by Proposition 2.4.20 that 〈πa〉ϕs ∈ w for some(w, 0) ∈ IM

ϕu . By Proposition 2.4.21 that there exists (v, k + 1) ∈ SMϕ

u such that(w, 0)

πa−−→ (v, k + 1) and ϕs is consistent with v. This means that s = v, and


then (s, k + 1) ∈ IMϕu |πa. This is in contradiction with our assumption. Therefore,

ϕu ∧Bπaϕs > 0 is not consistent, and consequently ` ϕu → Bπaϕs = 0. 2

Proposition 2.4.23 ` Bπiψi =∑{s∈Atomϕ|πi||ψi∈s}

Bπiϕs if∑ni=1 qiBπiψi ≥ q ∈

sub+(ϕ).

PROOF It can be easily shown by Proposition 2.3.16 2

As we said before, Proposition 2.4.18 is the “truth lemma” for formulas in LB-FreeLCPP .Before we show the “truth lemma” for formulas in LBLCPP, we fist need to show the fol-lowing proposition, which says that there exists probability functions to ensure probabil-ity formulas. The proof idea is that based on Propositions 2.4.19 – 2.4.23, we list all theconditions that probabilities in nonstandard models need to satisfy (cf. Definition 2.4.9)and show that these condition formulas are consistent. Then, these consistent conditionformulas will generated a consistent set of inequalities. Finally, by the completeness oflinear inequality logic, there exists a solution for these inequalities.

Proposition 2.4.24 There exists functions µMϕu

π : IMϕu |π → Q+ where π ∈ Act∗ such

that Mϕu is a nonstandard model and that

∑ni=1 qiBπiψi ≥ q ∈ u iff

∑ni=1 qiµ

Mϕu

πi (Di) ≥q where Di = {(s, |πi|) ∈ IM

ϕu |πi | ψi ∈ s} for each

∑ni=1 qiBπiψi ≥ q ∈ sub+(ϕ).

PROOF Firstly, it follows from Proposition 2.4.14 that ` > ↔∨s∈Atomϕ0

ϕs. ByAxioms PRTR(ε) and Proposition 2.3.16, it follows that

`∑

s∈Atomϕ0

Bεϕs = 1 (2.14)

By Proposition 2.4.19, for each (s, 0) ∈ IMϕu , we have

u ` Bεϕs > 0 (2.15)

By Proposition 2.4.22, for each (s, 0) 6∈ IMϕu , we have

u ` Bεϕs = 0 (2.16)

Secondly, it follows by Proposition 2.4.14 and 2.4.15 that ` > ↔∨s∈Atomϕ|πa|

ϕs

and ` 〈a〉> ↔∨{s∈Atomϕ|π||〈a〉>∈s}

ϕs. By Proposition 2.3.6 and proposition 2.3.16, itfollows that

`∑

s∈Atomϕ|πa|

Bπaϕs =∑

{s∈Atomϕ|π||〈a〉>∈s}

Bπϕs (2.17)

By Proposition 2.4.19, for each (s, |πa|) ∈ IMϕu |πa, we have

u ` Bπaϕs > 0 (2.18)

By Proposition 2.4.19, for each (s, |πa|) 6∈ IMϕu |πa, we have

u ` Bπaϕs = 0 (2.19)


Thirdly, for each state set E ⊆ IMϕu |πa, it follows by Proposition 2.3.16 that `

Bπa∨

(t,|πa|)∈E ϕt =∑

(t,|πa|)∈E Bπaϕt. For each (t, |πa|) ∈ E, it follows by Pro-position 2.4.15 that ` 〈a〉ϕt ↔

∨{s∈Atomϕ|π||〈a〉ϕt∈s}

ϕs. What is more, since `〈a〉(

∨(t,|πa|)∈E ϕt)↔

∨(t,|πa|)∈E〈a〉ϕt, we have that

` 〈a〉(∨

(t,|πa|)∈E

ϕt)↔∨

{s∈Atomϕ|π||∃(t,|πa|)∈E:〈a〉ϕt∈s}

ϕs.

By Axiom Add(π), we have

` Bπ〈a〉(∨

(t,|πa|)∈E

ϕt) =∑


Bπϕs.

By Axiom PRF(πa), we have ` Bπa∨

(t,|πa|)∈E ϕt ≤ Bπ〈a〉(∨

(t,|πa|)∈E ϕt). There-fore, we have

`∑

(t,|πa|)∈E

Bπaϕt ≤∑


Bπϕs (2.20)

Moreover, for each set E ⊆ IMϕu |πa, if there exists (s, |π|) ∈ IM

ϕu |π such that

RMϕu (s, |π|)∩E 6= ∅ andRMϕ

u (s, |π|)\E 6= ∅, namely (t, |πa|) ∈ E and (t′, |πa|) 6∈ Efor some (t, |πa|), (t, |πa|) ∈ RMϕ

u (s, |π|), it follows that ` ϕt → ϕE (let ϕE :=∨(t,|πa|)∈E ϕt) and ` ϕt′ → ¬ϕE . Therefore, we have ` 〈a〉ϕt ∧ 〈a〉ϕt′ → 〈a〉ϕE ∧〈a〉¬ϕE . Since ` ϕs → 〈a〉ϕt ∧ 〈a〉ϕt′ , it follows that ` ϕs → 〈a〉ϕE ∧ 〈a〉¬ϕE .Therefore, we have ` Bπϕs ≤ Bπ(〈a〉ϕE ∧ 〈a〉¬ϕE). It follows by Proposition 2.4.19that u ` Bπ〈a〉ϕE ∧ 〈a〉¬ϕE > 0. Thus, by Proposition 2.3.7, we have u ` BπaϕE <Bπ〈a〉ϕE , namely u ` Bπa

∨t∈E ϕt < Bπ

∨t∈E〈a〉ϕt. Therefore, we have

u `∑

(t,|πa|)∈E

Bπaϕt <∑

{(s,|π|)∈IMϕu |π|∃(t,|πa|)∈E:〈a〉ϕt∈s}

Bπϕs (2.21)

Furthermore, for each χ :=∑ni=1 qiBπiψi ≥ q ∈ sub+(ϕ), if χ ∈ u, it follows by

Proposition 2.4.23 that

u `n∑i=1

(qi ·∑

{s∈Atomϕ|πi||ψi∈s}

Bπiϕs) ≥ q (2.22)

If χ 6∈ u, we have

u `n∑i=1

(qi ·∑

{s∈Atomϕ|πi||ψi∈s}

Bπiϕs) < q (2.23)

Finally, we can now construct a set of linear inequalities by replacing Bπϕs in for-mulas of (2.14) to (2.23) by variables xπ(s,|π|), which represents µMϕ

uπ (s, |π|). Since u is

consistent, it follows that this set of linear inequalities is also consistent. By complete-ness of the linear inequality system, this inequality set has a solution. We define µMϕ

uπ


by assigning µMϕu

π (s, |π|) the value of xπ(s,|π|). It follows by (2.14) to (2.21) that Mϕu

is a nonstandard model. For each χ :=∑ni=1 qiBπiψi ≥ q ∈ sub+(ϕ), it follows by

(2.22) and (2.23) that χ ∈ u iff∑ni=1 qiµ

Mϕu

πi ({s ∈ Atomϕ|πi| | ψi ∈ s}) ≥ q. By (2.16)

and (2.19), we have that µMϕu

πi (s, |π|) = 0 for each (s, |πi|) 6∈ IMϕu |πi . Therefore, we

have µMϕu

πi ({s ∈ Atomϕ|πi| | ψi ∈ s}) = µ

Mϕu

πi (Di). 2

Proposition 2.4.25 For each formula ψ ∈ sub+(ϕ) and each (s, 0) ∈ IMϕu , we have

Mϕu , (s, 0) ψ iff ψ ∈ s.

PROOF We prove it by induction on ψ. Since ϕ ∈ LBLCPP, it follows that sub+(ϕ) ⊂LBLCPP. By Proposition 2.4.18, we only need to focus on the case of

∑ni=1 qiBπiψi ≥ q.

Please note that if ψ :=∑ni=1 qiBπiψi ≥ q and ψ ∈ sub+(ϕ) then ψi ∈ LB-FreeLCPP . We

have the followings.

Mϕu , (s, 0)

n∑i=1

qiBπiψi ≥ q

⇐⇒n∑i=1

qiµMϕu

πi JψiKMϕu

πi ≥ q

where JψiKMϕu

πi = {(t, k) ∈ IMϕu |πi |Mϕ

u , (t, k) � ψi}(Please note that by induction on π it is easy to show

that (t, k) ∈ IMϕu |π implies k = |π|)

⇐⇒n∑i=1

qiµMϕu

πi Di ≥ q

where Di = {(t, |πi|) ∈ IMϕu |πi | ψi ∈ t}

(since ψi ∈ LB-FreeLCPP , by Proposition 2.4.18 we have JψiKMϕu

πi = Di)

⇐⇒n∑i=1

qiBπiψi ≥ q ∈ u (by Proposition 2.4.24)

⇐⇒n∑i=1

qiBπiψi ≥ q ∈ s (by (s, 0) ∈ IMϕu )

2

By Proposition 2.4.18 and Proposition 2.4.25, the following proposition follows im-mediately.

Proposition 2.4.26 If ϕ ∈ LBLCPP is consistent then it is satisfiable in nonstandard mod-els.

Now we are ready for the completeness of SLCPP in standard models.

Theorem 2.4.27 (Completeness) For each formula ϕ ∈ LLCPP, � ϕ implies ` ϕ.


PROOF We only need to show that if ¬ϕ is consistent then ¬ϕ is satisfiable in standardmodels. If ¬ϕ is consistent, it follows by Proposition 2.4.8 that there exists a formulaϕ′ ∈ LBLCPP such that ` ¬ϕ ↔ ϕ′ and ϕ′ is consistent. It follows by Proposition 2.4.26that ϕ′ is satisfiable in nonstandard models. By Proposition 2.4.11, it follows that ϕ′

is satisfiable in standard models. It follows by the soundness that ¬ϕ is satisfiable instandard models. 2

2.5 DecidabilityThis section will show that the problem whether a formula ϕ ∈ LLCPP is satisfiablein standard models is decidable. First, we show that the problem whether a formulaϕ ∈ LBLCPP is satisfiable in nonstandard models is decidable. Second, we show that aformula ϕ ∈ LBLCPP is satisfiable in standard models if and only if it is satisfiable innonstandard models. Since each ϕ ∈ LLCPP can be reduced to be a formula ϕ′ ∈ LBLCPP,thus the decidability of ϕ′ in nonstandard models will lead to the decidability of ϕ instandard models.

Given ϕ ∈ LBLCPP, we use |ϕ| to denote the length of ϕ and use f(|ϕ|) to denote thesize of the canonical nonstandard model. It is obvious that f(|ϕ|) ∈ N. We use ||ϕ|| todenote the length of the longest coefficients that appear in ϕ.

Proposition 2.5.1 If ϕ ∈ LBLCPP is satisfiable in nonstandard models then it is alsosatisfiable in a nonstandard model with at most f(|ϕ|) states where the value assignedto each state by µM

π is a rational number with size of O(r||ϕ|| + r log r), where r =O(|ϕ||ϕ| + 2f(|ϕ|)).

PROOF If ϕ ∈ LBLCPP is satisfiable in nonstandard models, it follows by Proposi-tion 2.4.11 that ϕ is satisfiable in standard models. By the soundness of SLCPP withrespect to standard models, we have that ϕ is consistent. As it is shown in the proof ofcompleteness, ϕ is satisfiable in the canonical nonstandard model whose size is f(|ϕ|).Next, we will show that for each t ∈ IMϕ

u |π , µMϕu

π (t) is a rational number whose sizecan be bounded by O(r||ϕ|| + r log r). Please note that we only need to care about theaction sequence π ∈ (Act|ϕ)md(ϕ).

In the proof of Proposition 2.4.24, we know that the value of µMϕu

π (t) is determ-ined by the system of linear inequalities listed by (2.14)–(2.23) in the proof of Proposi-tion 2.4.24. Next, we will show how many linear inequalities are listed by (2.14)–(2.23).

By (2.22) and (2.23), for each χ of the form∑mi=1 qiψi ≥ q and χ ∈ sub+(ϕ), there

is a corresponding linear inequality. Therefore, (2.22) and (2.23) list at most |ϕ| linearinequalities into the system.

(2.14)–(2.16) are the requirements that the function µMϕu

ε needs to meet. They list 5linear inequalities into the system. Please note that the linear inequality x1 + · · ·xk = qis two inequalities in the system, that is, x1+· · ·xk ≥ q and (−1)x1+· · · (−1)xk ≤ −q.

(2.17)–(2.21) are the requirements that the function µMϕu

πa needs to meet for eachπa ∈ (Act|ϕ)md(ϕ). Given πa ∈ (Act|ϕ)md(ϕ), (2.17)–(2.19) list 5 linear inequalities.(2.20)–(2.21) list 2 linear inequalities for eachE ⊆ IMϕ

u |πa. Since IMϕu |πa ⊆ SMϕ

u andthe size of SMϕ

u is f(|ϕ|), there are at most 2f(|ϕ|) such subset E. Therefore, (2.17)–(2.21) list at most 5 + 2 × 2f(|ϕ|) linear inequalities for each πa ∈ (Act|ϕ)md(ϕ).

2.5. DECIDABILITY 45

Since there are at most |ϕ||ϕ|sequences in (Act|ϕ)md(ϕ), thus (2.17)–(2.21) list at most|ϕ||ϕ|(5 + 2× 2f(|ϕ|)) linear inequalities in the system.

Therefore, (2.14)–(2.23) list at most |ϕ|+ 5 + |ϕ||ϕ|(5 + 2× 2f(|ϕ|)) linear inequal-ities in the system of linear inequalities. Since |ϕ| + 5 + |ϕ||ϕ|(5 + 2 × 2f(|ϕ|)) ≤ r,there are at most r linear inequalities in the system. It follows by Theorem A.2.8 thatthere exists a probability function µM

π such that the value assigned to each state by µMπ

is a rational number with size of O(r||ϕ||+ r log r). 2

The following proposition follows immediately.

Proposition 2.5.2 Given ϕ ∈ LBLCPP, the problem whether ϕ is satisfiable in nonstand-ard models is decidable.

Next, we show that the problem whether ϕ ∈ LBLCPP is satisfiable in standard modelscan be reduced to the problem whether ϕ is satisfiable in nonstandard models.

Proposition 2.5.3 ϕ ∈ LBLCPP is satisfiable in standard models if and only if ϕ is satis-fiable in nonstandard models.

PROOF Due to Proposition 2.4.11, we only need to show that if ϕ ∈ LBLCPP is satis-fiable in standard models then it is also satisfiable in nonstandard models. Given a stand-ard modelM = 〈SM, RM, P rM, IM, BM, VM〉 withM, s � ϕ for some s ∈ IM,we define the nonstandard modelM• as follows.

SM•

= SM

RM•

= RM

IM•

= IM

VM•

= VM

µM•

π = µMπ

Please note that µMπ is defined in Definition 2.2.4.First, we need to show thatM• is indeed a nonstandard model. We need to show

the following claim.

Claim 2.5.3.1 1. µM•

ε (IM•) = 1 and µM

•

ε (s) > 0 for each s ∈ IM• ;

2. µM•

πa (IM• |πa) = µM

•

π ({s ∈ IM• |π | RM•a (s) 6= ∅}) and µM•

πa (t) > 0 for eacht ∈ IM• |πa;

3. µM•

πa (E) ≤ µM•π ({s ∈ IM• |π | ∃t ∈ E : sa−→ t}) for each E ⊆ IM• |πa;

4. µM•

πa (E) < µM•

π ({s ∈ IM• |π | ∃t ∈ E : sa−→ t}) for each E ⊆ IM

• |πa suchthat RM

•

a (s) ∩ E 6= ∅ and RM•

a (s) \ E 6= ∅ for some s ∈ IM• |π .

Proof of claim 2.5.3.1:

1. Since µM•

ε = BM, this is obvious.


2. First, we show µM•

πa (t) > 0 given t ∈ IM• |πa. Since t ∈ IM• |πa = IM|πa, itfollows that there is a sequence s0a1 · · · sn such that s0 ∈ IM, si

ai+1−−−→ si+1 forall 0 ≤ i < n, and sn = t. It follows thatBM(s0) > 0, PrM(si, ai+1, si+1) > 0for all 0 ≤ i < n. It follows by Definition 2.2.4 that µMπa(t) ≥ BM(s0) ×Πni=1Pr

M(si−1, ai, si). SinceBM(s0)×Πni=1Pr

M(si−1, ai, si) > 0 and µM•

πa =µMπa, it follows that µM

•

πa (t) > 0.

Second, letD = {s ∈ IM• |π | RM•a (s) 6= ∅} then we will show µM•

πa (IM• |πa) =

µM•

π (D). By the definition, we only need to show µMπa(IM|πa) = µMπ (D′) whereD′ = {s ∈ IM|π | RMa (s) 6= ∅}. If IM|πa = ∅, it is obvious. If IM|πa 6= ∅, itfollows that IM|πa = J>KM|

πa

and D′ = J〈a〉>KM|π

. By Proposition 2.2.11, itfollows that µMπa(IM|πa) = µMπ (D′).

3. We only need to show that µMπa(E) ≤ µMπ ({s ∈ IM|π | ∃t ∈ E : sa−→ t}) for

each E ⊆ IM|πa. Given E ⊆ IM|πa, let D = {s ∈ IM|π | ∃t ∈ E : sa−→ t}.

If E = ∅, it is obvious. If E 6= ∅, for each t ∈ E, there exists s ∈ D such thatsa−→ t. Moreover, it follows by Definition 2.2.4 that for each t ∈ E,

µMπa(t) =∑

{s∈D|sa−→t}

µMπ (s)× PrM(s, a, t)

We then have the following:

µMπa(E)

=∑t∈E µ

Mπa(t)

=∑t∈E

(∑{s∈D|s

a−→t} µMπ (s)× PrM(s, a, t)

)=

∑s∈D µ

Mπ (s)×

(∑t∈(E∩RMa (s)) Pr

M(s, a, t))

≤∑s∈D µ

Mπ (s) since 0 <

∑t∈(E∩RMa (s)) Pr

M(s, a, t) ≤ 1

= µMπ (D)

4. Given u ∈ IM|π and E ⊆ IM|πa, there are v, v′ ∈ RMa (u) such that v ∈ E andv′ 6∈ E. We need to show µMπa(E) < µMπ (D) where D = {s ∈ IM|π | ∃t ∈E : s

a−→ t}. In 3. above, we have shown that µMπa(E) ≤ µMπ (D) since for eachs ∈ D:

µMπ (s)×( ∑t∈(E∩RMa (s))

PrM(s, a, t))≤ µMπ (s)

which is due to0 <

∑t∈(E∩RMa (s))

PrM(s, a, t) ≤ 1.

However, since there are v, v′ ∈ RMa (u) such that v ∈ E and v′ 6∈ E, thus wehave

0 <∑

t∈(E∩RMa (u))

PrM(u, a, t) < 1.

2.6. CONCLUSION 47

Therefore, we have

µMπ (u)×( ∑t∈(E∩RMa (u))

PrM(u, a, t))< µMπ (u).

Since u ∈ D, it follows that µMπa(E) < µMπ (D).

�Second, by induction on the formula ψ, it is easy to show thatM•, t ψ if and only

ifM|π, t � ψ for each ψ ∈ LB-FreeLCPP , each t ∈ SM, and each π ∈ Act∗ with t ∈ IM|π .Third, we will showM•, u ψ if and only ifM, u � ψ for each ψ ∈ LBLCPP and

each u ∈ IM. We prove it by induction on ψ. Please note that ψ ∈ LBLCPP. Due to thesecond step, here we only focus on the case of

∑ni=1 qiBπiψi ≥ q. Since µMπi = µM

•

πi ,we only need to show JψiKM|

πi= JψiKM

•

πi . Since ψi ∈ LB-FreeLCPP , it follows by thesecond step that JψiKM|

πi= JψiKM

•

πi . 2

Now, we are ready to show the decidability of LCPP in standard models.

Theorem 2.5.4 (Decidability) Given ϕ ∈ LLCPP, the problem whether ϕ is satisfiablein standard models is decidable.

PROOF Assume the nesting degree of ϕ is d(ϕ) = k. It is obvious that k ≤ |ϕ|. Letϕ1, · · · , ϕi where i ≤ k be the subformulas of ϕ such that d(ϕj) = 1 for all 1 ≤ j ≤ i.The proofs of Proposition 2.4.6 and Proposition 2.4.7 supply procedures to reduce eachϕj to a formula ϕ′j such that ` ϕj ↔ ϕ′j and d(ϕ′j) = 0. Since the length of eachϕj is finite, the procedures can be terminated in a finite number of steps. We can thenobtain the formula ϕ′ by replacing each ψj with ψ′j . It follows that d(ϕ′) = k − 1. ByProposition 2.3.4, we have ` ϕ ↔ ϕ′. If k − 1 > 0, we do the same procedure for ϕ′.Therefore, we can obtain a formula ψ in a finite number of steps such that ` ϕ↔ ψ andd(ψ) = 0.

It follows by the soundness that ϕ is satisfiable in standard models if and only if ψ issatisfiable in standard models. Since ψ ∈ LBLCPP, it follows by Proposition 2.5.3 that ψis satisfiable in standard models if and only if it is satisfiable in nonstandard models. ByProposition 2.5.2, the problem whether ψ is satisfiable in nonstandard models is decid-able. Therefore, the problem whether ϕ is satisfiable in standard models is decidable. 2

2.6 ConclusionIn this chapter, we developed a logical framework for conformant probabilistic planning.As we argue, this approach differs from existing approaches to conformant probabilisticplanning by focusing on a logical language with which to specify plans. Rather thanthinking of goals of plans as subsets of the set of nodes of a probabilistic transitionsystem, our framework allows one to think of the goal as a formula, which may be moreconvenient when we formulate goals that are probabilistic in nature. (Say: some messageshould arrive with probability greater than 0.9.) We believe that this contribution to thefield of planning is very much worthwhile.


The particular logic we developed allows for reasoning about conformant plans andtheir probabilistic consequences. We provided an intuitive semantics, which makes itclear how probabilities change as actions are undertaken. We also provided a completeaxiomatization of the logic, which shows that it is rather well-behaved for a logic thatdeals with conformant probabilistic planning.

In the future, we hope to expand this work so it can deal with multi-agent scenarios,where different agents may have different pieces of information about the state of thetransition system and where different agents may not share the same prior probabilitydistribution over the set of nodes of the transition system. We also hope to implement(part of) the framework so that one can actually use it for planning, even though initiallywe will only deal with toy examples. Still, even though these will be toy examples,we believe the addition of a logical language to a conformant probabilistic planningscenario, will already show its use in those cases.

Another direction for future research is to generalize the models by allowing statesto be partially observable through sensors that map the true state of the world ontoobservable tokens, which is called Partially Observable Markov Decision Processes(POMDPs). For POMDP planning, the plan is usually a policy mapping of belief statesonto actions (cf. (Geffner and Bonet, 2013)). Therefore, to deal with the reasoning inPOMDP planning, we also need to expand the language in order to be capable of talkingabout policies.

Furthermore, with a possible implementation in mind, future research will includedetermining the complexity of algorithms for model checking and planning, which willmake a comparison with standard AI approaches to planning feasible.

Chapter 3

Knowing how with intermediateconstraints1

3.1 Introduction

Standard epistemic logic proposed by Hintikka (1962) studies propositional knowledgeexpressed by “knowing that ϕ”. However, there are very natural knowledge expressionsbeyond “knowing that”, such as “knowing what your password is”, “knowing why hecame late”, “knowing how to go to Beijing”, and so on. In particular, knowing howreceived much attention in both philosophy and AI.

In philosophy, researchers debate about whether knowledge-how is also proposi-tional knowledge (cf. Fantl (2008)). In AI, dating back to McCarthy and Hayes (1969),McCarthy (1979), and Moore (1985), people already started to look at it in the setting oflogics of knowledge and action. However, there still is no consensus on how to capturethe logic of “knowing how” formally (cf. the recent surveys Gochet (2013) and Agotneset al. (2015)). The difficulties are well discussed in Jamroga and Agotnes (2007) andHerzig (2015) and simply combining the existing modalities for “knowing that” and“ability” in a logical language like ATEL (see van der Hoek and Wooldridge (2003))does not lead to a genuine notion of “knowing how”.

In Wang (2015a, 2016), a new approach is proposed by introducing a single newmodality Kh of goal-directed knowing how, which includes formulas Kh(ψ,ϕ) to ex-press that the agent knows how to achieve states in which ϕ is true given a preconditionthat ψ. The models are labelled transition systems which represent the agent’s abilit-ies, inspired by Wang (2015b). Borrowing the idea from conformant planning in AI(cf. Smith and Weld (1998); Yu et al. (2016)), Kh(ψ,ϕ) holds globally in a labelledtransition system if there is a plan such that from all the ψ-states this plan can alwaysbe successfully executed to reach some ϕ-states. As an example, Figure 3.1 depictsa model, where si are places connected by corridors (r) or stairs (u).2 The formulaKh(p, q) holds in this model, since there is a plan ru which can always work to reach aq-state from any p-state. In Wang (2015a), a sound and complete proof system is given,

1This is an extended version of joint work with Yanjing Wang (Li and Wang (2017)).2This is a variant of the running example used in Wang and Li (2012).

49

50 CHAPTER 3. KNOWING HOW WITH INTERMEDIATE CONSTRAINTS

s6 s7 : q s8 : q

s1 r // s2 : p r //

u

::

u

OO

s3 : p r //

u

OO

s4 : q r //

u

OO

s5

Figure 3.1

featuring a crucial axiom capturing the compositionality of plans:

COMPKh (Kh(p, r) ∧ Kh(r, q))→ Kh(p, q)

However, as observed in Lau and Wang (2016), constraints on how we achieve thegoal often matter. For example, the ways for me to go to New York are constrainedby the money I have; we want to know how to win the game by playing fairly; peoplewant to know how to be rich without breaking the law. Generally speaking, actions havecosts, both financially and morally. We need to stay within our “budget” in reachingour goals. Apparently, such intermediate constraints cannot be expressed by Kh(ψ,ϕ)since it only cares about the starting and ending states. This motivates us to introduce aternary modality Khm(ψ, χ, ϕ) where χ constrains the intermediate states.

In the rest of the chapter, we first introduce the language, semantics, and a proofsystem of our logic in Section 3.2; in Section 3.3, we give a non-trivial completenessproof of the proof system; in Section 3.4, we show that our logic is decidable; in the lastsection, we conclude with future directions.

3.2 The logic KHMThis section will introduce the logic of knowing how with intermediate constraints, andwe denote the logic as KHM.

3.2.1 Syntax and semanticsFirstly, we introduce the language of KHM. Besides the common boolean operators,there is a ternary modality to express knowing how and the intermediate constraints.This ternary modality was first proposed and discussed briefly in Wang (2016).

Definition 3.2.1 (Language) Given a countable set of proposition letters P, the lan-guage LKHM of KHM is defined as follows:

ϕ := ⊥ | p | ¬ϕ | (ϕ ∧ ϕ) | Khm(ϕ,ϕ, ϕ)

where p ∈ P. We will often omit parentheses around expressions when doing so oughtnot cause confusion. We use the standard abbreviations>, ϕ∨ψ and ϕ→ ψ, and defineUϕ as Khm(¬ϕ,>,⊥). U is intended to be an universal modality, and it will becomeclear after defining the semantics.

Khm(ψ, χ, ϕ) expresses that the agent knows how to guarantee ϕ given ψ whiletaking a route that satisfies χ (excluding the start and the end). Note that the formula

3.2. THE LOGIC KHM 51

Khm(ψ ∧ χ, χ, ϕ ∧ χ) expresses knowing how with inclusive intermediate constraints.Note that the binary know-how operator in Wang (2015b) can be defined asKh(ψ,ϕ) :=Khm(ψ,>, ϕ).

The language is interpreted on models which are labelled transition systems. Themodel illustrates what actions the agent can do in each state.

Definition 3.2.2 (Model) Given a countable set of proposition letters P, a model isessentially a labelled transition system (S,Act,R, V ) where:

• S is a non-empty set of states;

• Act is a set of actions;

• R : Act→ 2S×S is a collection of transitions labelled by actions in Act;

• V : S → 2P is a valuation function.

We write s a−→ t if (s, t) ∈ R(a). For a sequence σ = a1 . . . an ∈ Act∗ (Act∗ is allthe finite sequence generated by actions in Act), we write s σ−→ t if there exist s2 . . . snsuch that s a1−→ s2

a2−→ · · · an−1−−−→ snan−−→ t. Note that σ can be the empty sequence ε

(when n = 0), and we set s ε−→ s for all s. Let σk be the initial segment of σ up to ak fork ≤ |σ|. In particular let σ0 = ε.

Note that the labels in Act do not appear in the language. The graph in Figure 3.1represents a model. We also call an action sequence a plan. Normally, we say that a planσ is executable in a state s if there exists a state t ∈ S such that s σ−→ t, which meansthe agent can do σ in the state s. Next, we define a notion “strongly executable” whichmeans the agent will never fail if she performs a plan in a state.

Definition 3.2.3 (Strongly executable) We say σ = a1 · · · an is strongly executable ats′ if for each 0 ≤ k < n: s′ σk−→ t implies that t has at least one ak+1-successor.

Intuitively, σ is strongly executable at s if you can always successfully finish thewhole σ after executing any initial segment of σ from s. For example, ab is not stronglyexecutable at s1 in the model below, though it is executable at s1.

s2 b // s4 : qs1 : p

a33

a ++ s3

Definition 3.2.4 (Semantics) Suppose s is a state in a modelM = (S,Act,R, V ), wethen inductively define the notion of a formula ϕ being satisfied (or true) inM at states as follows:

M, s � ⊥ neverM, s � p ⇐⇒ p ∈ V (s).M, s � ¬ϕ ⇐⇒ M, s 2 ϕ.M, s � ϕ ∧ ψ ⇐⇒ M, s � ϕ andM, s � ψ.M, s � Khm(ψ, χ, ϕ) ⇐⇒ there exists a σ ∈ Act∗ such that for each s′ with

M, s′ � ψ, σ is strongly χ-executableat s′ andM, t � ϕ for all t with s′ σ−→ t,


where we say σ = a1 · · · an is strongly χ-executable at s′ if:

• σ is strongly executable at s′, and

• s′ σk−→ t impliesM, t � χ for all 0 < k < n.

It is obvious that ε is strongly χ-executable at each state s for each formula χ. Notethat Khm(ψ,⊥, ϕ) expresses that there is a σ ∈ Act ∪ {ε} such that the agent knowsdoing σ in ψ-states can guarantee ϕ, namely the witness plan σ is at most one-step. Asan example, Khm(p,⊥, o) and Khm(p, o, q) hold in the following model for the witnessplans a and ab respectively. Note that the truth value of Khm(ψ, χ, ϕ) does not dependon the designated state.

s2 : ob ,,

s1 : pa22

b ,,s4 : q

s3 : ¬o a22

Now we can also check that the operator U defined by Khm(¬ψ,>,⊥) is indeed a uni-versal modality:

M, s � Uϕ ⇔ for all t ∈ S,M, t � ϕ

3.2.2 A deductive systemIn this subsection, we provide a Hilbert-style proof system for the logic KHM. A proofconsists of a sequence of formulas such that each formula either is an instance of anaxiom or can be obtained by applying one of the rules to formulas occurring earlier inthe sequence.

Definition 3.2.5 (Deductive System SKHM) The axioms and rules shown in Table 3.1constitute the proof system SKHM. We write SKHM ` ϕ (or sometimes just ` ϕ) tomean that the formula ϕ is derivable in the axiomatic system SKHM; the negation ofSKHM ` ϕ is written SKHM 0 ϕ (or just 0 ϕ). To say that a set D of formulas isSKHM-inconsistent (or just inconsistent) means that there is a finite subset D′ ⊆ Dsuch that ` ¬

∧D′, where

∧D′ :=

∧ϕ∈D′ ϕ if D′ 6= ∅ and

∧ϕ∈∅ ϕ := >. To say that

a set of formulas is SKHM-consistent (or just consistent) means that the set of formulasis not inconsistent. Consistency or inconsistency of a formula refers to the consistencyor inconsistency of the singleton set containing the formula.

Note that DISTU, NECU, TU are standard for the universal modality U . 4KhmU and4KhmU are introspection axioms reflecting that Khm formulas are global. EMPKhm cap-tures the interaction between U and Khm via the empty plan. COMPKhm is the new com-position axiom for Khm. UKhm shows how we can weaken the knowing how claims.ONEKhm is the characteristic axiom for SKHM compared to the system for binary Kh,and it expresses the condition for the necessity of the intermediate steps.

Remark 3.2.6 Note that the corresponding axioms for COMPKhm, EMPKhm and UKhm inthe setting of binary Kh are the following:

COMPKh Kh(p, q) ∧ Kh(q, r)→ Kh(p, r)EMPKh U(p→ q)→ Kh(p, q)UKh U(p′ → p) ∧ U(q → q′) ∧ Kh(p, q)→ Kh(p′, q′)

3.2. THE LOGIC KHM 53

Axioms

TAUT all tautologies of propositional logic

DISTU (Up ∧ U(p→ q))→ UqTU Up→ p

4KhmU Khm(p, o, q)→ UKhm(p, o, q)5KhmU ¬Khm(p, o, q)→ U¬Khm(p, o, q)EMPKhm U(p→ q)→ Khm(p,⊥, q)COMPKhm (Khm(p, o, r) ∧ Khm(r, o, q) ∧ U(r → o))→ Khm(p, o, q)ONEKhm (Khm(p, o, q) ∧ ¬Khm(p,⊥, q))→ Khm(p,⊥, o)UKhm (U(p′ → p) ∧ U(o→ o′) ∧ U(q → q′) ∧ Khm(p, o, q))

→ Khm(p′, o′, q′)Rules

MPϕ,ϕ→ ψ

ψNECU

ϕ

UϕSUB

ϕ(p)

ϕ[ψ/p]

Table 3.1: System SKHM

In the system SKH of Wang (2015a), UKh (which is called WKKh there) can be de-rived using COMPKh and EMPKh. However, UKhm cannot be derived using COMPKhm andEMPKhm. In particular, Khm(p′,⊥, p) ∧ Khm(p, o, q) → Khm(p′, o, q) is not valid dueto the lack of U(p → o), in contrast with the SKH-derivable Kh(p′, p) ∧ Kh(p, q) →Kh(p′, q) which is crucial in the derivation of UKh in SKH.

Below we derive some theorems and rules that are useful in the later proofs.

Proposition 3.2.7 We can derive the following in SKHM:

4U Up→ UUp5U ¬Up→ U¬Up

ULKhm (U(p′ → p) ∧ Khm(p, o, q))→ Khm(p′, o, q)UMKhm (U(o→ o′) ∧ Khm(p, o, q))→ Khm(p, o′, q)URKhm (U(q → q′) ∧ Khm(p, o, q′))→ Khm(p, o, q′)UNIV U¬p→ Khm(p,⊥,⊥)REU from ϕ↔ ψ prove Uϕ↔ UψRE from ϕ↔ ψ prove χ↔ χ′

where χ′ is obtained by replacing some occurrences of ϕ in χ by ψ.

PROOF REU is immediate given DISTU and NECU. 4U and 5U are special cases of 4KhmUand 5KhmU respectively. ULKhm, UMKhm, URKhm are the special cases of UKhm. To proveUNIV, first, note that U¬p ↔ U(p → ⊥) due to REU. Then due to EMPKhm, we haveU¬p → Khm(p,⊥,⊥). RE can be obtained by an inductive proof on the shape of χ,which uses UKhm and NECU for the case of Khm(·, ·, ·). 2


Next, we will show that SKHM is sound with respect to the semantics provided inSection 3.2.1. Firstly we show that axioms EMPKhm, COMPKhm, ONEKhm, and UKhm arevalid.

Proposition 3.2.8 � U(p→ q)→ Khm(p,⊥, q)

PROOF Assuming thatM, s � U(p → q), it means thatM, t � p → q for all t ∈ S.GivenM, t � p, it follows thatM, t � q. Thus, we have ε is strongly ⊥-executable at t.Therefore, we haveM, s � Khm(p,⊥, q). 2

Proposition 3.2.9 � Khm(p, o, r) ∧ Khm(r, o, q) ∧ U(r → o)→ Khm(p, o, q)

PROOF AssumingM, s � Khm(p, o, r)∧Khm(r, o, q)∧U(r → o), we will show thatM, s � Khm(p, o, q). SinceM, s � Khm(p, o, r), it follows that there exists σ ∈ Act∗such that for eachM, u � p, σ is strongly o-executable at u and thatM, v � r for eachv with u σ−→ v. SinceM, s � Khm(r, o, q), it follows that there exists σ′ ∈ Act∗ suchthat for eachM, v′ � r, σ′ is strongly o-executable at v′ and thatM, t � q for each twith v′ σ−→ t. In order to showM, s � Khm(p, o, q), we only need to show that σσ′ is

strongly o-executable at u and thatM, t′ � q for each t′ with u σσ′−−→ t′, where u is astate withM, u � p.

By assumption, we know that σ is strongly o-executable at u, and for each v withu

σ−→ v, it follows by assumption that M, v � r and σ′ is strongly o-executable at v.Moreover, sinceM, s � U(r → o), it follows thatM, v � o for each v with u σ−→ v.

Thus, σσ′ is strongly o-executable at u. What is more, for each t′ with u σσ′−−→ t′, there

is v such that u σ−→ vσ′−→ t′ and M, v � r, it follows by assumption that M, t′ � q.

Therefore, we haveM, s � Khm(p, o, q). 2

Proposition 3.2.10 � Khm(p, o, q) ∧ ¬Khm(p,⊥, q)→ Khm(p,⊥, o)

PROOF AssumingM, s � Khm(p, o, q) ∧ ¬Khm(p,⊥, q), we will show thatM, s �Khm(p,⊥, o). SinceM, s � Khm(p, o, q), it follows that there exists σ ∈ Act∗ such thatfor eachM, u � p, σ is strongly o-executable at u andM, v � q for all v with u σ−→ v.If σ ∈ Act ∪ {ε}, it follows thatM, s � Khm(p,⊥, q). SinceM, s � ¬Khm(p,⊥, q),it follows that σ 6∈ Act ∪ {ε}. Thus, σ = a1 · · · an where n ≥ 2. Let u be a state suchthatM, u � p. Since σ = a1 · · · an is strongly o-executable at u, it follows that a1 isexecutable at u. Moreover, since n ≥ 2, we haveM, v � o for each v with u a1−→ v.Therefore, we haveM, s � Khm(p,⊥, o). 2

Proposition 3.2.11 � U(p′ → p) ∧ U(o → o′) ∧ U(q → q′) ∧ Khm(p, o, q) →Khm(p′, o′, q′)

PROOF Assuming M, s � U(p′ → p) ∧ U(o → o′) ∧ U(q → q′) ∧ Khm(p, o, q),we will show that M, s � Khm(p′, o′, q′). Since M, s � Khm(p, o, q), it follows thatthere exists σ ∈ Act∗ such that for eachM, u � p: σ is strongly o-executable at u andM, v � q for each v with u σ−→ v. Let s′ be a state withM, s′ � p′. Next we will showthat σ is strongly o′-executable at s′ andM, v′ � q′ for all v′ with s′ σ−→ v′.

3.3. DEDUCTIVE COMPLETENESS 55

SinceM, s � U(p′ → p), it follows thatM, s′ � p. Thus, σ is strongly o-executableat s′ andM, v′ � q for each v′ with s′ σ−→ v′. SinceM, s � U(o → o′), it follows thatσ is strongly o′-executable at s′. SinceM, s � U(q → q′), it follows thatM, v′ � q′

for each v′ with s′ σ−→ v′. 2

Since U is a universal modality, DISTU and TU are obviously valid. Since the mod-ality Khm is not local, it is easy to show that 4KhmU and 5KhmU are valid. Moreover, byPropositions 3.2.8–3.2.11, we have that all axioms are valid. Due to a standard argumentin modal logic, we know that the rules MP, NECU and SUB preserve a formula’s validity.The soundness of SKHM follows immediately.

Theorem 3.2.12 (Soundness) SKHM is sound w.r.t. the class of all models.

3.3 Deductive completenessThis section will prove that SKHM is complete w.r.t. the class of all models. For thesame reason as in Wang (2015a), we will build a canonical model for a given maximallyconsistent set (MCS). The reason is that the semantics of Khm formulas does not dependon the current state. Thus if they are true, they are true everywhere in the model. Itfollows that we cannot build a single canonical model to realize all the consistent setsof LKHM formulas simultaneously. Instead, for each maximally consistent set of LKHMformulas we build a separate canonical model.

However, the canonical model here is much more complicated. The reason is that inthe canonical model in Wang (2015a), each knowing-how formula Kh(ψ,ϕ) is realizedby a one-step witness plan, which does not work here. Some knowing-how formulashere, such as Khm(ψ, χ, ϕ) ∧ ¬Khm(ψ,⊥, ϕ), require their witness plans to have morethan one step. Therefore, we need a new method to construct the canonical model. Thereare two new features for the canonical model here. Firstly, the state of the canonicalmodel is a pair consisting of a maximally consistent set and a marker which will playan important role in defining the witness plan for Khm-formulas. Secondly, formulas ofthe formKhm(ψ,⊥, ϕ) are realized by one-step plans, and formulas likeKhm(ψ, χ, ϕ)∧¬Khm(ψ,⊥, ϕ) are realized by two-step plans. Moreover, we deal with the second stepof the plan differently from the first step of the plan.These features will become clear inthe following context.

Definition 3.3.1 We say that a set ∆ of formulas is maximally consistent in LKHM if ∆is consistent, and any set of formulas properly containing Γ is inconsistent. If ∆ is amaximally consistent set of formulas then we say it is an MCS.

Let Γ be an MCS in LKHM. In the following, we will build a canonical model for Γ.We first prepare ourselves with some auxiliary notions and some handy propositions.

Given a set of LKHM formulas ∆, let ∆|Khm and ∆|¬Khm be the collections of itspositive and negative Khm formulas:

∆|Khm = {θ | θ = Khm(ψ, χ, ϕ) ∈ ∆};

∆|¬Khm = {θ | θ = ¬Khm(ψ, χ, ϕ) ∈ ∆}.


Definition 3.3.2 Let ΦΓ be the set of all MCS ∆ such that ∆|Khm = Γ|Khm .

Note that ΦΓ is the set of all MCSs that share the same Khm formulas with Γ. Thecanonical model for Γ will be based on the MCSs in ΦΓ. Since every ∆ ∈ ΦΓ ismaximally consistent, the following proposition shows an obvious property of ΦΓ.

Proposition 3.3.3 For each ∆ ∈ ΦΓ, we have that Khm(ψ, χ, ϕ) ∈ Γ if and only ifKhm(ψ, χ, ϕ) ∈ ∆ for all Khm(ψ, χ, ϕ) ∈ LKHM.

By a standard argument of Lindenbaum’s lemma (cf. Blackburn et al. (2001)), wehave the following proposition.

Proposition 3.3.4 If ∆ is consistent then there is an MCS Γ such that ∆ ⊆ Γ.

The following proposition reveals a crucial property of ΦΓ, which will be used re-peatedly later.

Proposition 3.3.5 If ϕ ∈ ∆ for all ∆ ∈ ΦΓ then Uϕ ∈ ∆ for all ∆ ∈ ΦΓ.

PROOF Suppose ϕ ∈ ∆ for all ∆ ∈ ΦΓ, then by the definition of ΦΓ, ¬ϕ is notconsistent with Γ|Khm ∪ Γ|¬Khm , for otherwise Γ|Khm ∪ Γ|¬Khm ∪ {¬ϕ} can be extendedinto a maximally consistent set in ΦΓ due to Proposition 3.3.4. Thus there are formulasKhm(ψ1, χ1, ϕ1), . . . , Khm(ψk, χk, ϕk) ∈ Γ|Khm and formulas ¬Khm(ψ′1, χ′1, ϕ′1), . . . ,¬Khm(ψ′l, χ′l, ϕ′l) ∈ Γ|¬Khm such that

` (∧

1≤i≤k

Khm(ψi, χi, ϕi) ∧∧

1≤j≤l

¬Khm(ψ′j , χ′j , ϕ′j))→ ϕ.

By NECU,

` U((∧

1≤i≤k


1≤j≤l

¬Khm(ψ′j , χ′j , ϕ′j))→ ϕ).

By DISTU we have:

` U(∧

1≤i≤k


1≤j≤l

¬Khm(ψ′j , χ′j , ϕ′j))→ Uϕ.

Since Khm(ψ1, χ1, ϕ1), . . . , Khm(ψk, χk, ϕk) ∈ Γ, we have UKhm(ψ1, χ1, ϕ1), . . . ,UKhm(ψk, χk, ϕk) ∈ Γ due to 4KhmU and the fact that Γ is a maximally consistent set.Similarly, we have U¬Khm(ψ′1, χ′1, ϕ′1), . . . , U¬Khm(ψ′l, χ′l, ϕ′l) ∈ Γ due to 5KhmU. ByDISTU and NECU, it is easy to show that ` U(p ∧ q) ↔ Up ∧ Uq. Then due to a slightgeneralization, we have:

U(∧

1≤i≤k


1≤j≤l

¬Khm(ψ′j , χ′j , ϕ′j)) ∈ Γ.

Now it is immediate that Uϕ ∈ Γ. Due to Proposition 3.3.3, Uϕ ∈ ∆ for all ∆ ∈ ΦΓ. 2

Proposition 3.3.6 Given Khm(ψ,>, ϕ) ∈ Γ and ∆ ∈ ΦΓ, if ψ ∈ ∆ then there exists∆′ ∈ ΦΓ such that ϕ ∈ ∆′.


PROOF Assuming Khm(ψ,>, ϕ) ∈ Γ and ψ ∈ ∆ ∈ ΦΓ, if there does not exist∆′ ∈ ΦΓ such that ϕ ∈ ∆′, then ¬ϕ ∈ ∆′ for all ∆′ ∈ ΦΓ. It follows by Pro-position 3.3.5 that U¬ϕ ∈ Γ, namely Khm(ϕ,>,⊥) ∈ Γ. Since U(ϕ → ⊥) andKhm(ψ,>, ϕ) ∈ Γ, it follows by COMPKhm that Khm(ψ,>,⊥) ∈ Γ namely, U¬ψ ∈ Γ.By Proposition 3.3.3, we have that U¬ψ ∈ ∆. It follows by TU that ¬ψ ∈ ∆. This is incontradiction with ψ ∈ ∆. Therefore, there exists ∆′ ∈ ΦΓ such that ϕ ∈ ∆′. 2

Before building the canonical model for Γ, we firstly define the set of actions thatwould be part of the canonical model.

Definition 3.3.7 The set of action symbols ActΓ is defined as below.

ActΓ ={〈ψ,⊥, ϕ〉 | Khm(ψ,⊥, ϕ) ∈ Γ}∪{〈χψ, ϕ〉 | Khm(ψ, χ, ϕ),¬Khm(ψ,⊥, ϕ) ∈ Γ}

The first part of ActΓ is meant to handle the formulas Khm(ψ,⊥, ϕ). These formu-las can be witnessed by plans whose length are at most 1, and there are no intermediatestates in such plans. The second part of ActΓ is to handle the cases where the interme-diate state is indeed necessary: ¬Khm(ψ,⊥, ϕ) makes sure that you cannot have a planto guarantee ϕ in less than two steps.

In the following we build a separate canonical model for the MCS Γ, for it is notpossible to satisfy allKhm formulas simultaneously in a single model since those formu-las are evaluated globally. Even if Khm(ψ, χ, ϕ) and ¬Khm(ψ, χ, ϕ) are both consistent,they cannot be true in the same model. Because the later proofs are quite technical, itis very important to first understand the ideas behind the canonical model construction.Note that to satisfy a Khm(ψ, χ, ϕ) formula, there are two cases to be considered:

(1) Khm(ψ,⊥, ϕ) holds and we just need a one-step witness plan, which can behandled similarly using the techniques developed in Wang (2015a);

(2) Khm(ψ,⊥, ϕ) does not hold, and we need to have a witness plan which at leastinvolves an intermediate χ-stage. By ONEKhm, Khm(ψ,⊥, χ) holds. It is then temptingto reduce Khm(ψ, χ, ϕ) to Khm(ψ,⊥, χ) ∧ Khm(χ, χ, ϕ). However, this is not correctsince we may not have a strongly χ-executable plan to reach a ϕ-state from every χ-state. Note that Khm(ψ, χ, ϕ) and Khm(ψ,⊥, χ) only ensure that we can reach ϕ-statesfrom χ-states that result from the witness plan for Khm(ψ,⊥, χ). However, we cannotrefer to such χ-states in the language of LKHM. This is why we include χψ markers inthe building blocks of the canonical model. A label χψ roughly tells us where this state“comes from”. 3

Definition 3.3.8 (Canonical Model) The canonical model for Γ is a quadrupleMcΓ =

〈Sc, ActΓ, Rc, V c〉 where:

• Sc = {(∆, χψ) | χ ∈ ∆ ∈ ΦΓ, and (〈χψ, ϕ〉 ∈ ActΓ for some ϕ or 〈ψ,⊥, χ〉 ∈ActΓ)}. We write the pair in S as w, v, · · · , and refer to the first entry of w ∈ Sas L(w), to the second entry as R(w);

• w 〈ψ,⊥,ϕ〉−−−−−→c w′ iff ψ ∈ L(w) and R(w′) = ϕψ;

3In Wang (2015a), the canonical models are much simpler: the state of the canonical model is just MCSand the canonical relations are simply labelled by 〈ψ,ϕ〉 for Kh(ψ,ϕ) ∈ Γ.


• w 〈χψ,ϕ〉−−−−→c w′ iff R(w) = χψ and ϕ ∈ L(w′);

• p ∈ V c(w) iff p ∈ L(w).

For each w ∈ S, we also call w a ψ-state if ψ ∈ L(w).

In the above definition, R(w) marks the use of w as an intermediate state. The samemaximally consistent set ∆ may have different uses depending on different R(w). We

will make use of the transitions w〈ψ,⊥,χ〉−−−−−→c v

〈χψ,ϕ〉−−−−→c w′ where R(v) = χψ . Note

that if R(w) = χψ then w〈χψ,ϕ〉−−−−→c v for each ϕ-state v. The non-trivial part of the later

proof of the truth lemma is to show that adding such transitions and making them to becomposed arbitrarily will not cause some Khm(ψ, χ, ϕ) 6∈ L(w) to hold at w.

We first show that each ∆ ∈ ΦΓ appears as L(w) for some w ∈ Sc.

Proposition 3.3.9 For each ∆ ∈ ΦΓ, there exists w ∈ Sc such that L(w) = ∆.

PROOF Since ` > → >, it follows by NECU that ` U(> → >). Thus, we haveU(> → >) ∈ Γ. It follows by EMPKhm that Khm(>,⊥,>) ∈ Γ. It follows that a =〈>,⊥,>〉 ∈ ActΓ. Since > ∈ ∆, it follows that (∆,>>) ∈ Sc. 2

Since Γ ∈ ΦΓ, it follows by Proposition 3.3.9 that Sc 6= ∅.

Proposition 3.3.5 helps us to prove the following two handy propositions which willplay crucial roles in the completeness proof. Note that according to Proposition 3.3.5,to obtain that Uϕ in all the ∆ ∈ ΦΓ, we just need to show that ϕ is in all the ∆ ∈ ΦΓ,not necessarily in all the w ∈ Sc.

Proposition 3.3.10 Given a = 〈ψ′,⊥, ϕ′〉 ∈ ActΓ, If for each ψ-state w ∈ Sc we havethat a is executable at w, then U(ψ → ψ′) ∈ Γ.

PROOF Suppose that every ψ-state has an outgoing a-transition, then by the definitionof Rc, ψ′ is in all the ψ-states. For each ∆ ∈ ΦΓ, either ψ 6∈ ∆, or ψ ∈ ∆ thus ψ′ ∈ ∆.Now by the fact that ∆ is maximally consistent it is not hard to show ψ → ψ′ ∈ ∆in both cases. By Proposition 3.3.5, U(ψ → ψ′) ∈ ∆ for all ∆ ∈ ΦΓ. It follows byΓ ∈ ΦΓ that U(ψ → ψ′) ∈ Γ. 2

Proposition 3.3.11 Given w ∈ Sc and a = 〈ψ,⊥, ϕ′〉 or 〈χψ, ϕ′〉 ∈ ActΓ such that ais executable at w, if ϕ ∈ L(w′) for each w′ with w a−→ w′ then U(ϕ′ → ϕ) ∈ Γ.

PROOF Firstly, we focus on the case of a = 〈ψ,⊥, ϕ′〉. For each ∆ ∈ ΦΓ withϕ′ ∈ ∆, we have v = (∆, ϕ′ψ) ∈ Sc. Since 〈ψ,⊥, ϕ′〉 is executable at w, it meansthat ψ ∈ L(w). By the definition, it follows that w a−→ v. Since ϕ ∈ L(w′) for each w′

with w a−→ w′, it follows that ϕ ∈ L(v). Therefore, we have ϕ ∈ ∆ for each ∆ ∈ ΦΓ

with ϕ′ ∈ ∆, namely ϕ′ → ϕ ∈ ∆ for all ∆ ∈ ΦΓ. It follows by Proposition 3.3.5 thatU(ϕ′ → ϕ) ∈ Γ.

Secondly, we focus on the case of a = 〈χψ, ϕ′〉. For each ∆ ∈ ΦΓ with ϕ′ ∈ ∆,it follows by Proposition 3.3.9 that there exists v ∈ Sc such that L(v) = ∆. Since a isexecutable at w, it follows that w a−→ v. Since ϕ ∈ L(w′) for each w′ with w a−→ w′, it


follows that ϕ ∈ L(v). Therefore, we have shown that ϕ′ ∈ ∆ implies ϕ ∈ ∆ for all∆ ∈ ΦΓ. It follows by Proposition 3.3.5 that U(ϕ′ → ϕ) ∈ Γ. 2

To make the proof of the truth lemma shorter, we need the following proposition.

Proposition 3.3.12 Given a non-empty sequence σ = a1 · · · an ∈ Act∗Γ where ai =

〈ψi,⊥, ϕi〉 or ai = 〈χψii , ϕi〉 for each 1 ≤ i ≤ n, we have Khm(ψ, χ, ϕi) ∈ Γ for all1 ≤ i ≤ n if for each ψ-state w ∈ Sc:

• σ is strongly executable at w;

• w σj−→ t′ implies χ ∈ L(t′) for all 1 ≤ j < n.

PROOF If there is no ψ-state in Sc, it follows that ¬ψ ∈ L(w′) for each w′ ∈ Sc. Itfollows by Proposition 3.3.9 that ¬ψ ∈ ∆ for all ∆ ∈ ΦΓ. By Proposition 3.3.5, wehave U¬ψ ∈ Γ. By UNIV, Khm(ψ,⊥,⊥) ∈ Γ. Since ` ⊥ → χ and ` ⊥ → ϕ. Then byNECU, we have ` U(⊥ → χ) and ` U(⊥ → ϕ). By UMKhm and URKhm, it is obvious thatKhm(ψ, χ, ϕ) ∈ Γ.

Next, assuming v ∈ Sc is a ψ-state, we will show Khm(ψ, χ, ϕ) ∈ Γ. There are twocases: n = 1 or n ≥ 2. For the case of n = 1, we will prove it directly; for the case ofn ≥ 2, we will prove it by induction on i.

• n = 1. If a1 is of the form 〈χψ1

1 , ϕ1〉, by the definition of〈χψ1

1 ,ϕ1〉−−−−−−→ it fol-lows that R(w) = χψ1

1 for each ψ-state w. Let χ0 be a formula satisfying that` χ0 ↔ χ1 and χ0 6= χ1. By the rule of Replacement of Equals RE, it followsthat 〈χψ1

0 , ϕ1〉 ∈ ActΓ. Let w′ = (L(v), χψ1

0 ) then it follows that w′ ∈ Sc. Sinceψ ∈ L(v), then we have ψ ∈ L(w′). However, since R(w′) = χψ1

1 6= χψ1

0 ,σ = 〈χψ1

1 , ϕ1〉 is not executable at the ψ-state w′. This is in contradiction withthe assumption that σ is strongly executable at all ψ-states. Therefore, we knowthat a1 cannot be of the form 〈χψ1

1 , ϕ1〉.

If a1 = 〈ψ1,⊥, ϕ1〉, it follows that Khm(ψ1,⊥, ϕ1) ∈ Γ. Since a1 is executableat each ψ-state, it follows by Proposition 3.3.10 that U(ψ → ψ1) ∈ Γ. SinceKhm(ψ1,⊥, ϕ1) ∈ Γ, it follows by ULKhm that Khm(ψ,⊥, ϕ1) ∈ Γ. By NECU andUMKhm, it is clear that Khm(ψ, χ, ϕ1) ∈ Γ.

• n ≥ 2. By induction on i, next we will show that Khm(ψ, χ, ϕi) ∈ Γ for each1 ≤ i ≤ n. For the case of i = 1, with the similar proof as in the case of n = 1,we can show that a1 can only be 〈ψ1,⊥, ϕ1〉 and U(ψ → ψ1) ∈ Γ. Thereforeby UKhm we have Khm(ψ, χ, ϕ1) ∈ Γ. Under the induction hypothesis (IH) thatKhm(ψ, χ, ϕi) ∈ Γ for each 1 ≤ i ≤ k, we will show that Khm(ψ, χ, ϕk+1) ∈ Γ,where 1 ≤ k ≤ n− 1. Because σ is strongly executable at v, it follows that thereare w′, v′ ∈ Sc such that

va1 // · · ·

ak−1// w′

ak // v′ak+1// · · · an // t.

Moreover, for each t′ with w′ ak−→ t′ we have χ ∈ L(t′). It follows by Proposition3.3.11 that U(ϕk → χ) ∈ Γ (N). Proceeding, there are two cases of ak+1:


– ak+1 = 〈ψk+1,⊥, ϕk+1〉. Since σ is strongly executable at v, it follows thatfor each t′ with w′ ak−→ t′ we know that ak+1 is executable at each t′. It

follows by the definition of〈ψk+1,⊥,ϕk+1〉−−−−−−−−−−→ that ψk+1 ∈ L(t′). Moreover,

since ak is executable at w′, it follows by Proposition 3.3.11 that U(ϕk →ψk+1) ∈ Γ. Since ak+1 ∈ ActΓ, it then follows thatKhm(ψk+1,⊥, ϕk+1) ∈Γ. It follows by ULKhm that Khm(ϕk,⊥, ϕk+1) ∈ Γ. Since ` U(⊥ → χ),it follows by UMKhm that Khm(ϕk, χ, ϕk+1) ∈ Γ. Since by IH we have thatKhm(ψ, χ, ϕk) ∈ Γ, It follows from (N) and COMPKhm thatKhm(ψ, χ, ϕk+1) ∈Γ.

– ak+1 = 〈χψk+1

k+1 , ϕk+1〉. Since σ is strongly executable at v, it follows thatfor each t′ with w′ ak−→ t′ we know that ak+1 is executable at t′. Then wehave that R(t′) = χ

ψk+1

k+1 for each t′ with w′ ak−→ t′.Note that the action ak cannot be of the form 〈χψkk , ϕk〉. Suppose it canbe, let v′′ = (L(v′), χ

ψk+1

0 ) where ` χ0 ↔ χk+1 and χ0 6= χk+1. Sincew′

ak−→ v′, it follows that ϕk ∈ L(v′). Then it follows by the definition oftransitions that w′ ak−→ v′′. However, we know that R(v′′) 6= χ

ψk+1

k+1 thusak+1 = 〈χψk+1

k+1 , ϕk+1〉 is not executable at v′′. This is in contradiction withthe strong executability. Therefore, we know that ak cannot be of the form〈χψkk , ϕk〉.Now ak = 〈ψk,⊥, ϕk〉. Since w′ ak−→ v′ and ak+1 = 〈χψk+1

k+1 , ϕk+1〉 isexecutable at v′, we have R(v′) = ϕψkk = χ

ψk+1

k+1 by definition of transitions.It follows that ψk = ψk+1 and ϕk = χk+1. Since ak+1 ∈ ActΓ, it followsthat Khm(ψk+1, χk+1, ϕk+1) ∈ Γ. Thus, we have Khm(ψk, ϕk, ϕk+1) ∈ Γ.By (N) and UMKhm we then have that Khm(ψk, χ, ϕk+1) ∈ Γ (H). If k = 1,by Proposition 3.3.10 it is easy to show that U(ψ → ψ1) ∈ Γ. Then byULKhm we haveKhm(ψ, χ, ϕk+1) ∈ Γ. If k > 1, there is a state w′′ such that

va1 // · · ·

ak−2// w′′

ak−1// w′

ak // v′ak+1// · · · an // t.

Since σ is strongly executable at v, it follows that for each t′ with w′′ak−1−−−→

t′ we have ak is executable at t′. It follows by the definition of〈ψk,⊥,ϕk〉−−−−−−→,

it follows that ψk ∈ L(t′) for each t′ with w′′ak−1−−−→ t′. Since ak−1 is

executable at w′′, it follows by Proposition 3.3.11 that U(ϕk−1 → ψk) ∈Γ.Moreover, since v

σk−1−−−→ t′ for each t′ with w′′ak−1−−−→ t′, it follows that

χ ∈ L(t′). Thus by Proposition 3.3.11 again, we have U(ϕk−1 → χ) ∈ Γ.Since we have proved (H), it follows by ULKhm that Khm(ϕk−1, χ, ϕk+1) ∈Γ. Since by IH we have Khm(ψ, χ, ϕk−1) ∈ Γ, it follows by COMPKhm thatKhm(ψ, χ, ϕk+1) ∈ Γ.

2

Now we are ready to prove the truth lemma.

Lemma 3.3.13 (Truth Lemma) For each ϕ and each w ∈ Sc, we haveMcΓ, w � ϕ iff

ϕ ∈ L(w).


PROOF Boolean cases are trivial, and we only focus on the case of Khm(ψ, χ, ϕ).Left to Right: If there is no state w′ such thatMc

Γ, w′ � ψ, it follows by IH that

¬ψ ∈ L(w′) for each w′ ∈ Sc. It follows by Proposition 3.3.9 that ¬ψ ∈ ∆ for all∆ ∈ ΦΓ. By Proposition 3.3.5, we have U¬ψ ∈ L(w). By UNIV,Khm(ψ,⊥,⊥) ∈ L(w).Since ` ⊥ → χ and ` ⊥ → ϕ. Then by NECU, we have ` U(⊥ → χ) and ` U(⊥ → ϕ).By UMKhm and URKhm, it is obvious that Khm(ψ, χ, ϕ) ∈ L(w).

Next, assumingMcΓ, v � ψ for some v ∈ Sc, we will show Khm(ψ, χ, ϕ) ∈ L(w).

SinceMcΓ, w � Khm(ψ, χ, ϕ), it follows that there exists σ ∈ Act∗ such that for each

McΓ, w

′ � ψ: σ is strongly χ-executable at w′ andMcΓ, v′ � ϕ for all v′ with w′ σ−→ v′.

There are two cases: σ is empty or not.

• σ = ε. This means thatMcΓ, w

′ � ϕ for eachMcΓ, w

′ � ψ. It follows by IH thatψ ∈ L(w′) implies ϕ ∈ L(w′). Thus, we have ψ → ϕ ∈ L(w′) for allw′ ∈ Sc. ByProposition 3.3.9, we have ψ → ϕ ∈ ∆ for all ∆ ∈ ΦΓ. It follows by Proposition3.3.5 that U(ψ → ϕ) ∈ L(w). It then follows by EMPKhm that Khm(ψ,⊥, ϕ) ∈L(w). By NECU and UMKhm, it is easy to show that Khm(ψ, χ, ϕ) ∈ L(w).

• σ = a1 · · · an where for each 1 ≤ i ≤ n, ai = 〈ψi,⊥, ϕi〉 or ai = 〈χψii , ϕi〉.Since σ is strongly χ-executable at eachw′ withMc

Γ, w′ � ψ, it follows by IH that

for each ψ-state w′: σ is strongly executable at w′ and w′σj−→ t′ implies χ ∈ L(t′)

for all 1 ≤ j < n. By Proposition 3.3.12, we have that Khm(ψ, χ, ϕn) ∈ L(v).SinceMc

Γ, v � ψ and σ is strongly χ-executable at v andMcΓ, v′′ � ϕ for each

v′′ with v σ−→ v′′, it follows that there exists v′ such that an is executable at v′

andMcΓ, v′′ � ϕ for each v′′ with v′ an−−→ v′′. (Please note that v′ = v if n = 1.)

Note that an is either 〈ψn,⊥, ϕn〉 or 〈χψnn , ϕn〉. It follows by Proposition 3.3.11and IH that if U(ϕn → ϕ) ∈ Γ, then we have U(ϕn → ϕ) ∈ L(v). It follows byURKhm and Proposition 3.3.3 that Khm(ψ, χ, ϕ) ∈ L(w).

This completes the proof for w � Khm(ψ, χ, ϕ) implies Khm(ψ, χ, ϕ) ∈ L(w).

Right to Left: Suppose that Khm(ψ, χ, ϕ) ∈ L(w). We need to show thatMcΓ, w �

Khm(ψ, χ, ϕ). There are two cases: there is a state w′ ∈ Sc such thatMcΓ, w

′ � ψ ornot. If there is no such state, it followsMc

Γ, w � Khm(ψ, χ, ϕ).For the second case, let w′ be a state such thatMc

Γ, w′ � ψ. It follows by IH that

ψ ∈ L(w′). Since we already haveKhm(ψ, χ, ϕ) ∈ L(w), it follows by Proposition 3.3.3thatKhm(ψ, χ, ϕ) ∈ Γ. Since ` U(χ→ >), it follows by UMKhm thatKhm(ψ,>, ϕ) ∈ Γ.It follows by Proposition 3.3.6 that there exists ∆′ ∈ ΦΓ such that ϕ ∈ ∆′. There aretwo cases: Khm(ψ,⊥, ϕ) ∈ Γ or not.

• Khm(ψ,⊥, ϕ) ∈ Γ. It follows that a = 〈ψ,⊥, ϕ〉 ∈ ActΓ. Therefore, we havev = (∆′, ϕψ) ∈ Sc. Since ψ ∈ L(w′), it follows that w′ a−→ v. Thus, a isstrongly χ-executable at w′. What is more, ϕ ∈ L(v′) for each v′ with w′ a−→ v′

by the definition of the transition. It follows by IH thatMcΓ, v′ � ϕ for all v′ with

w′a−→ v′. Therefore, we haveMc

Γ, w � Khm(ψ, χ, ϕ) witnessed by a single stepσ.

• ¬Khm(ψ,⊥, ϕ) ∈ Γ. It follows by ONEKhm that Khm(ψ,⊥, χ) ∈ Γ. We thenhave a = 〈ψ,⊥, χ〉 ∈ ActΓ and b = 〈χψ, ϕ〉 ∈ ActΓ. Since Khm(ψ,⊥, χ) ∈ Γand ` U(⊥ → >), it follows by UMKhm that Khm(ψ,>, χ) ∈ Γ. It follows by


Proposition 3.3.6 that there exists ∆′′ ∈ ΦΓ such that χ ∈ ∆′′. Therefore, wehave t = (∆′′, χψ) ∈ Sc. Since there exists ∆′ ∈ ΦΓ with ϕ ∈ ∆′, it follows byProposition 3.3.5 that there is t′ ∈ Sc such that L(t′) = ∆′. Now, starting withany ψ-state, a is clearly executable and it will lead to a χ-state, and then by a bstep we will reach all the ϕ states. Therefore, by IH, we have that ab is stronglyχ-executable at w′, and that for all v′ with w′

ab−→ v′ we have McΓ, v′ � ϕ.

Therefore, we haveMcΓ, w � Khm(ψ, χ, ϕ). Note that we do need a 2-step σ in

this case.

2

Now due to Proposition 3.3.4, each SKHM-consistent set of formulas can be ex-tended to a maximally consistent set Γ. Due to the Truth Lemma 3.3.13, we haveMc

Γ, (Γ,>>) � Γ. The completeness of SKHM follows immediately.

Theorem 3.3.14 (Completeness) SKHM is strongly complete w.r.t. the class of allmodels.

3.4 DecidabilityIn this section, we will show that the problem whether a formula ϕ0 is satisfiable isdecidable. The idea is that we will show that ϕ0 has a bounded small model if ϕ0 issatisfiable. From the truth lemma and the completeness theorem, we already know thatif ϕ0 is satisfiable then it is satisfiable in a canonical model. However, a canonical modelis infinite. Our method is to make the filtration of a canonical model through a finite setgenerated by ϕ0 and to show the filtration model is a bounded small model.

Firstly, we will define the set through which we will make the filtration of a canonicalmodel. Different from the standard filtration method in modal logic (see Blackburn et al.(2001)), this set is not only closed under subformulas, but we add Khm(ψ,⊥, ϕ) andKhm(ψ,⊥, χ) for each formula Khm(ψ, χ, ϕ) in the set.

Definition 3.4.1 (Subformula Closed) A set of formulas ∆ is closed under subformulasif for all formulas ϕ,ψ, χ: if ¬ϕ ∈ ∆ then ϕ ∈ ∆; if ϕ∧ψ ∈ ∆ then ϕ ∈ ∆ and ψ ∈ ∆;if Khm(ψ, χ, ϕ) ∈ ∆ then ψ ∈ ∆, χ ∈ ∆ and ϕ ∈ ∆.

Definition 3.4.2 Let Φ be a subformula closed set. cl(Φ) is the smallest set such that:

• Φ ⊆ cl(Φ);

• if Khm(ψ, χ, ϕ) ∈ Φ and χ 6= ⊥ then ±Khm(ψ,⊥, ϕ),±Khm(ψ,⊥, χ) ∈ cl(Φ).

If Φ is a set generated by a single formula, it is obvious that cl(Φ) is finite. Theformula set cl(Φ) is the set we need for our filtration method.

Before building the filtration model, we firstly define the action set that is to be partof the filtration model. From the proof of the truth lemma, we know that each formulaKhm(ψ, χ, ϕ) that is true in a canonical model is witnessed by the plan 〈ψ,⊥, ϕ〉 or theplan 〈ψ,⊥, χ〉〈χψ, ϕ〉. Since in the filtration model we only care about the formulas


in the closure cl(Φ), thus we only need the actions in ActΓ∩cl(Φ). Remember Defini-tion 3.3.7:

ActΓ∩cl(Φ) ={〈ψ,⊥, ϕ〉 | Khm(ψ,⊥, ϕ) ∈ (Γ ∩ cl(Φ))}∪{〈χψ, ϕ〉 | Khm(ψ, χ, ϕ),¬Khm(ψ,⊥, ϕ) ∈ (Γ ∩ cl(Φ))}

It is obvious that ActΓ∩cl(Φ) ⊆ ActΓ.Let Γ be a maximally consistent set and let Mc

Γ be the model defined in Defini-tion 3.3.8. Next we will define the filtration ofMc

Γ through cl(Φ). Before that, we firstdefine an equivalence relation!cl(Φ) over the state set Sc. Let s, t be two states in Sc.The equivalence relation!cl(Φ) is defined as below.

s!cl(Φ) t ⇐⇒McΓ, s � ϕ iffMc

Γ, t � ϕ for all ϕ ∈ cl(Φ), anda is executable on s iff a is executable on t for all a ∈ ActΓ∩cl(Φ).

We denote the equivalence class of a state s ofMcΓ with respect to!cl(Φ) by |s|cl(Φ),

or simply |s| if no confusion will arise.

Definition 3.4.3 (Filtration) The filtration ofMcΓ through cl(Φ), denoted by (Mc

Γ)f =〈Sf , Actf , Rf , V f 〉, is defined as below.

• Sf = {|s|cl(Φ) | s ∈ Sc}.

• Actf = ActΓ∩cl(Φ).

• For all a ∈ Actf , |s| a−→ |t| iff there are s′ ∈ |s| and t′ ∈ |t| such that s′ a−→ t′.

• For all p ∈ cl(Φ), p ∈ V f (|s|) iffMcΓ, s � p.

To show the filtration lemma, the key is to show that a formula has a strongly ex-ecutable plan in the original canonical model if and only if it has a strongly executableplan in the filtration model, which is what the following two propositions show.

Proposition 3.4.4 Given σ = a1 · · · an ∈ (Actf )∗, n ∈ N and |s| ∈ Sf , if σ is stronglyexecutable on |s| in (Mc

Γ)f then σ is strongly executable on all s′ ∈ |s| inMcΓ.

PROOF We prove it by induction on the length of σ. It is obvious if σ = ε. Next wewill show that the proposition holds for σ = a1 · · · an+1.

If a1 · · · an+1 is strongly executable on |s|, it is obvious that a1 · · · an is stronglyexecutable on |s|. It follows by the IH that a1 · · · an is strongly executable on all s′ ∈|s|. Given s′ ∈ |s|, we will show that a1 · · · an+1 is strongly executable on s′. Sincea1 · · · an is strongly executable on |s|, by Definition 3.2.3, we only need to show that ifsσn−−→ t then an+1 is executable on t.

If s σn−−→ t, that is, s a1−→ s1 · · ·an−−→ t, it follows that |s| σn−−→ |t|. Since a1 · · · an+1

is strongly executable on |s|, it follows that an+1 is executable on |t|. Therefore, thereexists t′ ∈ |t| such that an+1 is executable on t′. It follows by the definition of! thatan+1 is executable on t. 2


Proposition 3.4.5 Given a = 〈ψ,⊥, χ〉 ∈ Actf , b = 〈χψ, ϕ〉 ∈ Actf , and s ∈ Sc, thefollowing two propositions hold.

1. If ab is strongly executable on s then ab is strongly executable on |s|.

2. If |s| a−→ |t| and |t| b−→ |v| for some |t|, |v| ∈ Sf then there exits t′ ∈ |t| and

v′ ∈ |v| such that s a−→ t′ and t′ b−→ v′.

PROOF In the following, we will prove the two propositions, respectively.

1. If ab is strongly executable at s, it follows that there are t, v ∈ Sc such that s a−→ t

and tb−→ v. What is more, by the form of the actions a and b, it follows by

Definition 3.3.8 that t = (∆, χψ), ψ ∈ L(s), and ϕ ∈ L(v).

Since a is executable on s, it follows that a is also executable on |s|. To showthat ab is strongly executable on |s|, we only need to show that b is executable oneach |t0| ∈ Sf with |s| a−→ |t0|. If |s| a−→ |t0|, it follows that there are s′ ∈ |s|and t′ ∈ |t0| such that s′ a−→ t′. By the form of a, it follows that t′ = (∆′, χψ).Since ϕ ∈ L(v), it follows by Definition 3.3.8 that t′ b−→ v. Therefore, we have|t′| b−→ |v|, that is, |t0|

b−→ |v|. Thus, b is executable on |t0|.

2. If |s| a−→ |t|, it follows that a is executable on some s′ ∈ |s|. By Definition 3.3.8and the form of the action a, it follows that ψ ∈ L(s′) because a is executable ons′. It follows by the truth lemma thatMc

Γ, s′ � ψ. Since s′ ∈ |s|, it follows that

McΓ, s � ψ. By the truth lemma again, we have ψ ∈ L(s).

If |t| b−→ |v|, it follows that there are t′ ∈ |t| and v′ ∈ |v| such that t′ b−→ v′. ByDefinition 3.3.8 and the form of the action b, it follows that t′ = (∆′, χψ). Sinceψ ∈ L(s), it follows that s a−→ t′. Thus, we have s a−→ t′ and t′ b−→ v′.

2

Now we are ready to prove the filtration lemma.

Lemma 3.4.6 (Filtration Lemma) For each formula ϕ ∈ cl(Φ), (McΓ)f , |s0| � ϕ iff

McΓ, s0 � ϕ.

PROOF We prove it by induction on ϕ. We restrict our attention to the case ofKhm(ψ, χ, ϕ); the other cases are trivial.

Left-to-Right. If (McΓ)f , |s0| � Khm(ψ, χ, ϕ), next we will show that Mc

Γ, s0 �Khm(ψ, χ, ϕ). Firstly it follows that there exists σ ∈ Actf such that for all |s′| with(Mc

Γ)f , |s′| � ψ: σ is strongly χ-executable on |s′| and (McΓ)f , |t′| � ϕ for all |t′| with

|s′| σ−→ |t′|.To show Mc

Γ, s0 � Khm(ψ, χ, ϕ), let s be a state such that McΓ, s � ψ. Then we

only need to show that σ is strongly χ-executable on s and McΓ, t � ϕ for all t with

sσ−→ t. Since Mc

Γ, s � ψ, it follows by the IH that (McΓ)f , |s| � ψ. Therefore, σ is

strongly executable on |s|. It follows by Proposition 3.4.4 that σ is strongly executable


on s. Let σ = a1 · · · an, then for each 0 ≤ k ≤ n: s σk−→ t implies |s| σk−→ |t|. It followsby the IH that σ is strongly χ-executable on s andMc

Γ, t � ϕ for all t with s σ−→ t.Right-to-Left. If Mc

Γ, s0 � Khm(ψ, χ, ϕ), next we will show that (McΓ)f , |s0| �

Khm(ψ, χ, ϕ). IfMcΓ, s0 � Khm(ψ, χ, ϕ), it follows by the truth lemma thatKhm(ψ, χ, ϕ) ∈

S0, and then Khm(ψ, χ, ϕ) ∈ Γ. There are two cases.

• χ = ⊥. We have Khm(ψ,⊥, ϕ) ∈ Γ, and then 〈ψ,⊥, ϕ〉 ∈ ActΓ. SinceKhm(ψ,⊥, ϕ) ∈ s0, by the proof of the truth lemma, it follows that for all swithMc

Γ, s � ψ: 〈ψ,⊥, ϕ〉 is strongly executable on s andMcΓ, t � ϕ for all t

with sψ,⊥,ϕ−−−−→ t.

Since we also have 〈ψ,⊥, ϕ〉 ∈ Actf , to show (McΓ)f , |s0| � Khm(ψ, χ, ϕ), we

only need to show that for all |s| with (McΓ)f , |s| � ψ: 〈ψ,⊥, ϕ〉 is strongly ex-

ecutable on |s| and (McΓ)f , |t| � ϕ for all |t| with |s| ψ,⊥,ϕ−−−−→ |t|. If (Mc

Γ)f , |s| �ψ, it follows by the IH thatMc

Γ, s � ψ. Therefore, 〈ψ,⊥, ϕ〉 is (strongly) execut-

able on s, and thus it is (strongly) executable on |s|. If |s| ψ,⊥,ϕ−−−−→ |t|, it follows

that there are s′ ∈ |s| and t′ ∈ |t| such that s′ψ,⊥,ϕ−−−−→ t′. By the IH, we know that

McΓ, s′ � ψ. Therefore, we haveMc

Γ, t′ � ϕ, and it follows by the IH again that

(McΓ)f , |t| � ϕ.

• χ 6= ⊥. If we still haveMcΓ, s0 � Khm(ψ,⊥, ϕ), by the same proof, we will have

(McΓ)f , |s0| � Khm(ψ,⊥, ϕ), and thus (Mc

Γ)f , |s0| � Khm(ψ, χ, ϕ). Next wewill focus on the situation ofMc

Γ, s0 2 Khm(ψ,⊥, ϕ). IfMcΓ, s0 2 Khm(ψ,⊥, ϕ),

it follows by the truth lemma that ¬Khm(ψ,⊥, ϕ) ∈ Γ. By Definition 3.4.2, weknow that Khm(ψ, χ, ϕ) and ¬Khm(ψ,⊥, ϕ) are also members of cl(Φ). Thus wehave b = 〈χψ, ϕ〉 ∈ Actf . What is more, since Khm(ψ, χ, ϕ) and ¬Khm(ψ,⊥, ϕ)are in Γ, it follows by Axiom ONEKhm that Khm(ψ,⊥, χ) ∈ Γ. Since we also haveKhm(ψ,⊥, χ) ∈ cl(Φ) by Definition 3.4.2, it follows that a = 〈ψ,⊥, χ〉 ∈ Actf .

It is obvious that the actions a and b are also in ActΓ. By the proof of the truthlemma, we know that for all s withMc

Γ, s � ψ: ab is strongly χ-executable on s

andMcΓ, t � ϕ for all t with s ab−→ t. To show that (Mc

Γ)f , |s0| � Khm(ψ, χ, ϕ),next we will show that for all |s| with (Mc

Γ)f , |s| � ψ: ab is strongly executableon |s|, and (Mc

Γ)f , |t| � χ and (McΓ)f , |v| � ϕ for all |t| and |v| with |s| a−→ |t|

and |t| b−→ |v|. If (McΓ)f , |s| � ψ, it follows by the IH thatMc

Γ, s � ψ. Therefore,ab is strongly executable on s. It follows by Proposition 3.4.5 that ab is stronglyexecutable on |s|. If |s| a−→ |t| b−→ |v|, it follows by Proposition 3.4.5 that thereare t′ ∈ |t| and v′ ∈ |v| such that s a−→ t′

b−→ v′. Thus we haveMcΓ, t′ � χ and

McΓ, v′ � ϕ. It follows by the IH that (Mc

Γ)f , |t| � χ and (McΓ)f , |v| � ϕ.

2

Proposition 3.4.7 (Small Model Property) If ϕ0 is satisfiable then it is satisfiable ina model with at most 22k states where k = |cl(Φ)| and Φ is the subformula closuregenerated by ϕ0.

PROOF If ϕ0 is satisfiable, it follows by soundness that it is consistent. By Linden-baum’s lemma, ϕ0 can be extended to be a maximally consistent set Γ. By the truth


lemma, we have McΓ, s � ϕ0 where s = (Γ,>>). It follows by the filtration lemma

that ϕ0 is satisfiable in the model (McΓ)f . Each state |t| in (Mc

Γ)f corresponds to a pair(∆, X) where ∆ ⊆ cl(Φ) is the set of formulas that are true in |t| and X ⊆ Actf is theset of actions that are executable on |t|. Since there are at most k actions in σf , thereare at most 2k action set X . Since there are also at most 2k formula set ∆, there are atmost 22k pairs of (∆, X). Therefore, there are at most 22k states in the filtration model(Mc

Γ)f . 2

Theorem 3.4.8 (Decidability) KHM is decidable.

PROOF With the small model property, this can be proved by a standard argumentpresented in Blackburn et al. (2001). 2

3.5 ConclusionIn this chapter, we generalized the knowing how logic presented in Wang (2015a) andproposed a ternary modal operator Khm(ψ, χ, ϕ) to express that the agent knows how toachieve ϕ given ψ while taking a route that satisfies χ. We also presented a sound andcomplete axiomatization of this logic. Compared to the completeness proof in Wang(2015a), the proof here is more complicated. The essential difference is that, to handlethe intermediate constraints, a state of the canonical model here is a pair consisting of amaximally consistent set and a marker of the form χψ which indicates that this state hasa 〈ψ,⊥, χ〉-predecessor.

Moreover, we showed that the logic KHM is decidable via a filtration method. Thefiltration here is defined on the canonical model, and it cannot be extended to all models.That is because the Khm-formulas have special witness plans in the canonical model,which allows us to select a subset of the whole action set. This filtration method canbe applied to the logic presented in Wang (2015a) and shows that the logic with binaryknowing-how operator Kh is decidable.

One interesting topic related to this chapter’s topic is relaxing the strong execut-ability in the semantics. Intuitively, strongly executable plans may be too strong forknowledge-how in some cases. For example, if there is an action sequence σ in themodel such that doing σ at a ψ-state will always make the agent stop on ϕ states, we canprobably also say the agent knows how to achieve ϕ given ψ. For instance, I know howto start the engine in that old car given the precondition that it is in good condition. I justneed to turn the key several times until it starts, and five times should suffice, at most.Please note that there are two kinds of states in which the agent might stop: either statesthat the agent achieves after doing σ successfully, or states on which the agent is unableto continue executing the remaining actions. In Chapter 4, we will discuss the logic ofknowing how with this kind of plans.

Another interesting related topic is to consider contingent plans which involve con-ditions based on the knowledge of the agent. A contingent plan is a partial function onthe agent’s belief space. Such plans make more sense when the agent has the ability ofobservations during the execution of the plan. To consider contingent plans, we need toextend the model with an epistemic relation. We can then express knowledge-that and

3.5. CONCLUSION 67

knowledge-how at the same time, and discuss their interactions in one unified logicalframework. We discuss the logic of knowing how with contingent plans in Chapter 5.

For future research, besides the obvious questions of model theory of the logic, wecan extend this logic with the public announcement operator. Intuitively, [θ]ϕ says thatϕ holds after the information θ is provided. The update of the new information amountsto the change of the background knowledge throughout the model, and this may affectthe knowledge-how. For example, a doctor may not know how to treat a patient withthe disease since he is worried that the only available medicine might cause some verybad side-effects. Let p mean that the patient has the disease, and let r mean that thereare bad side-effects. Then this can be expressed as ¬Khm(p,¬r,¬p). Suppose a newscientific discovery shows that the side-effect is not possible under the relevant circum-stance, then the doctor should know how to treat the patient, which can be expressed as[¬r]Khm(p,¬r,¬p).4

4However, the announcement operator [ϕ] is not reducible in LKHM as discussed in Wang (2016).

Chapter 4

Knowing how with weakconformant plans1

4.1 IntroductionEpistemic logic proposed by Hintikka (1962) is a modal logic concerned with reasoningabout knowledge. It formalizes propositional knowledge, the knowledge of the form“knowing that”, by means of a modal formula Kϕ which expresses that the agent knowsthat ϕ holds. It interprets knowledge-that in terms of agents’ uncertainty. The agentknows that ϕ at a state s if and only if he can rule out all the ¬ϕ epistemic possibil-ities at s. Epistemic logic is widely applied in theoretical computer science, artificialintelligence, economics, and linguistics (see van Ditmarsch et al. (2015)).

However, knowledge is not only expressed by “knowing that”, but also by other ex-pressions, such as “knowing how”, “knowing what”, “knowing why”, and so on. Amongall these expressions, “knowing how” (and the knowledge-how that it expresses) is themost discussed.

In artificial intelligence, beginning from McCarthy and Hayes (1969) and McCarthy(1979), researchers started to study what it means for a computer program to “knowhow” to achieve a state of affairs ϕ in terms of its ability. In particular, Moore (1985) ishighly influential on representation of and reasoning about knowledge-how and ability.Please note that Moore did not clearly distinguish between knowledge-how and ability.According to Moore, there are two possible ways to define the agent’s knowledge-how:

(I) There exists an action a such that the agent knows that the performance of a willresult in ϕ;

(II) The agent knows that there exists an action a such that the performance of a willresult in ϕ.

Let ϕ(a) express that performing a will make sure that ϕ. The first is a de re definitionof knowledge-how (∃a : Kϕ(a)), and the second is a de dicto definition (K∃a : ϕ(a)).Moore pointed out that the first definition is too strong and the second is too weak. For

1This is based on the paper Li (2017).

69

70 CHAPTER 4. KNOWING HOW WITH WEAK CONFORMANT PLANS

example, if we only know that there exists a method to guarantee that ϕ but withoutknowing the identity of the method, we cannot say that we know how to make surethat ϕ. On the other hand, in real-life context, we might say to a friend that “I can beat your house at 8pm” without knowing in advance exactly what action we will adopt.Therefore, Moore proposed an adapted, but very complicated version of the definition.Moore’s formalism has inspired a large body of work in artificial intelligence on know-ledge and ability (see the surveys by Gochet (2013) and Agotnes et al. (2015)).

In logic, the framework of Alternating-time Temporal Logic (ATL) (cf. Alur et al.(2002)) is concerned with reasoning about agents’ abilities in game structures. Byadding the knowledge operator to this framework, ATEL (van der Hoek and Wooldridge(2003)) can express that the agent knows that there is a strategy to enforce ϕ from thecurrent state. However, the reading is still a de dicto reading of knowledge-how, andit is too weak to define knowledge-how. To solve this problem, researchers proposeddifferent solutions (cf. Herzig et al. (2013); Belardinelli (2014); Herzig (2015)), suchas making the strategy uniform, or specifying the explicit actions in the modality (e.g.,knowing that performing abc will achieve ϕ).

In the above-mentioned works, knowledge-how is usually expressed in a very rich lo-gical language involving quantifiers or various complicated modalities. However, start-ing from Plaza (1989), Hart et al. (1996), and van der Hoek and Lomuscio (2003), logi-cians attempted to formalize some knowledge-wh, such as “knowing whether”, “know-ing what” etc., as a whole modality, in a similar way in which epistemic logic deals withknowledge-that. The recent works Fan et al. (2014), Fan et al. (2015), Gu and Wang(2016), and Wang (2015a) are in line with this idea.

In particular, Wang (2015a) proposed a single-agent logic of knowing how, whichincludes the modal formula Kh(ψ,ϕ) to express that the agent knows how to achieveϕ given the precondition ψ. The models are labelled transition systems which reflectan agent’s ability. Thus the models are also called ability maps. The formula Kh(ψ, χ)is interpreted in a de re reading of knowledge-how: there exists an action sequence(also called a plan) σ such that (1) performing σ at each ψ-state the agent will achievea ϕ-state; and (2) the plan is not supposed to fail during the execution. In automatedplanning, such a plan is called a conformant plan (cf. Smith and Weld (1998); Ghallabet al. (2004)). Consider Figure 4.1 which represents a map of a floor in a building wherethe agent can go right(r) or up(u).2 According to Wang’s interpretation of knowledge-how, the agent here knows how to achieve q given p because there is a conformant planru (first moving right then moving up) for achieving q-states from p-states.

s6 s7 : q s8 : q

s1 r // s2 : p

u

::

r //

u

OO

s3 : p r //

u

OO

s4 r //

u

OO

s5 : q

Figure 4.1

However, the demands that a conformant plan asks may be too strong, in the sensethat the execution of the plan will never fail. Intuitively, we are still comfortable to say

2This is a variant of the running example used in Wang and Li (2012).

4.2. THE LOGIC KHW 71

“we know how to achieve ϕ given ψ” if we will always end up with a ϕ-state whenthe execution of the plan terminates, whether or not all parts of the plan have beencompleted. For example, let q be true only on the state s5 in Figure 4.1. Then therewill be no conformant plans for achieving the only q-state s5 from p-states, but westill say that “we know how to achieve the q-state from p-states” because we can getthere by moving right at most three times. The plan of moving right three times isnot a conformant plan since the execution of the plan starting from s3 will fail at s5,but this plan will still guarantee our achieving the q-state s5 in the sense that we willalways end up with s5 when the execution of the plan terminates. We call it a weakconformant plan. A weak conformant plan for achieving ϕ-states from ψ-states is afinite linear action sequence such that the execution of the action sequence at each ψ-state will always terminate on a ϕ-state, either successfully or not. Intuitively, a weakconformant plan is enough for our knowing how to achieve ϕ given ψ.

In this chapter, we interpret knowledge-how as there being a weak conformant planfor the agent achieving the goal. Compared to the interpretation of Wang (2015a), ourinterpretation is weaker, but more realistic. We also present a sound and complete ax-iomatic system. It shows that this weaker interpretation results in a weaker logic. Thecomposition axiom in Wang (2015a)

(Kh(p, r) ∧ Kh(r, q))→ Kh(p, q)

is not valid under this weaker interpretation. Even though the logic is weaker, the proofof its completeness is non-trivial. We also define an alternative nonstandard semantics.By reducing a decidable problem on our weaker semantics to a decidable problem onthis alternative nonstandard semantics, we show that this logic is decidable.

The rest of the chapter is organized as follows: Section 4.2 introduces the languageand semantics and presents a deductive system; Section 4.3 shows the completeness ofthe deductive system; Section 4.4 proposes an alternative semantics for our logic andshows that our logic is decidable; in the last section, we conclude with future directions.

4.2 The logic KHWThis section will introduce the logic of knowing how with weak conformant plans, andwe denote the logic as KHW.

4.2.1 Syntax and semanticsIn this section, we will introduce the language and the semantics. The language has firstbeen proposed in Wang (2015a). Differently from the knowing-how modality Kh usedin Wang (2015a), we use the modality Khw here, and the superscript indicates that thislogic is weaker.

Definition 4.2.1 (Language) Given a countable set of proposition letters P, the lan-guage LKHW is defined as follows:

ϕ := > | p | ¬ϕ | (ϕ ∧ ϕ) | Khw(ϕ,ϕ)

where p ∈ P. We will often omit parentheses around expressions when doing so shouldnot cause confusion. We use the standard abbreviations⊥, ϕ∨ψ and ϕ→ ψ. We define


Uϕ as Khw(¬ϕ,⊥). U is intended to be a universal modality, and it will become clearafter we define the semantics.

Intuitively, the formula Khw(ψ,ϕ) expresses that the agent knows how to guaranteeϕ given ψ since she has a weak conformant plan to achieve ϕ-states from each ψ-state.

The language is interpreted on models which are labelled transition systems. Themodel is also called an ability map because it represents the agent’s abilities, i.e. itillustrates what actions the agent can do in each state.

Definition 4.2.2 (Model) A model (also called an ability map) is essentially a labelledtransition system (S,Act,R, V ) where:

• S is a non-empty set of states;

• Act is a set of actions (or labels);



We write s a−→ t or t ∈ Ra(s) if (s, t) ∈ R(a). For a sequence σ = a1 . . . an ∈ Act∗,we write s σ−→ t if there exist s2 . . . sn such that s a1−→ s2

a2−→ · · · an−1−−−→ snan−−→ t. Note

that σ can be the empty sequence ε (when n = 0), and we set s ε−→ s for any s. Let σkbe the initial segment of σ up to ak for k ≤ |σ|. In particular let σ0 = ε. We say that σis executable at s if there is t such that s σ−→ t.

Note that the labels in Act do not appear in the language. The graph in Figure 4.1represents a model. We also call an action sequence a plan. We say a plan σ is executablein a state s if there exists a state t such that s σ−→ t.

As discussed in Section 4.1, we will interpret knowledge-how as there being a weakconformant plan for achieving the goal, that is, the agent will always terminate on a goalstate when performing the plan. Next, we will formally define the set of states on whichthe agent will terminate when performing a plan.

Definition 4.2.3 (Terminal States) Given a state s ∈ S and an action sequence σ =a1 · · · an ∈ Act∗, TermiSs(s, σ) is the set of states on which the agent might terminateif she performs σ in s. Formally, it is defined as

TermiSs(s, σ) = {t | s σ−→ t, or ∃i < n : sσi−→ t and t has no ai+1 successor}.

In particular, let TermiSs(s, ε) = {s}. If s σ−→ t for all t ∈ TermiSs(s, σ), we say σis strongly executable at s.

Considering the following model, we have TermiSs(s1, ab) = {s3, s4}.

s2 b // s4 : qs1 : p

a33

a ++ s3

Definition 4.2.4 (Semantics) Suppose s is a state in a model M = (S,Act,R, V ).Then we inductively define the notion of a formula ϕ being satisfied (or true) inM atstate s as follows:

4.2. THE LOGIC KHW 73

M, s � > alwaysM, s � p ⇐⇒ p ∈ V (s).M, s � ¬ϕ ⇐⇒ M, s 2 ϕ.M, s � (ϕ ∧ ψ) ⇐⇒ M, s � ϕ andM, s � ψ.M, s � Khw(ψ,ϕ) ⇐⇒ there exists σ ∈ Act∗ such that for each w ∈ JψK

and each t ∈ TermiSs(w, σ) we haveM, t � ϕ.

where JψK = {s ∈ S | M, s � ψ}.

We also call the semantics defined here as the standard semantics, to distinguish itfrom the nonstandard semantics defined in Section 4.4. Now we can also check that theoperator U defined by Khw(¬ϕ,⊥) is indeed a universal modality:

M, s � Uϕ ⇔ for all t ∈ S,M, t � ϕ

Under this semantics, the composition axiom in Wang (2015a),

(Khw(p, r) ∧ Khw(r, q))→ Khw(p, q),

is not valid. The following example presents a model in which the composition axiomis not true.

Example 4.2.5 ModelM is depicted as follows.

s1 : p a // s3 : r b // s5 : q

s2 : p, r b // s4 : q

• M, s1 � Khw(p, r) since there is a weak conformant plan a. Please note thatafter executing a on s2 the agent will terminate on s2 itself.

• M, s1 � Khw(r, q) since there is a weak conformant plan b. After executing b oneach r-states, either s3 or s2, the agent will achieving on a q-state.

• M, s1 2 Khw(p, q) since there are no weak conformant plans for achieving q-states from p-states. Particularly, ab is not a weak conformant plan. The perform-ance of ab on s1 will result in a q-state s5, but executing ab on p-state s2 willterminate on s2 itself.

The composition of two weak conformant plans might not be a weak conformantplan any more. Just as shown in Example 4.2.5, a is a weak conformant plan for achiev-ing r-states from p-states, and b is a weak conformant plan for achieving q-states fromr-states, but the composition ab is not a weak conformant plan for achieving q-statesfrom p-states. There is no weak conformant plan for achieving q-states from p-states inthis example.

4.2.2 A deductive systemIn this subsection, we provide a Hilbert-style proof system for the logic KHW and showit is sound on the standard semantics.


Definition 4.2.6 (SWKH System) The axiomatic system SWKH is shown in Table 4.1.We write SWKH ` ϕ (or sometimes just ` ϕ) to mean that the formula ϕ is derivablein the axiomatic system SWKH; the negation of SWKH ` ϕ is written SWKH 0 ϕ (orjust 0 ϕ). To say that a set D of formulas is SWKH-inconsistent (or just inconsistent)means that there is a finite subsetD′ ⊆ D such that ` ¬

∧D′, where

∧D′ :=

∧ϕ∈D′ ϕ

if D′ 6= ∅ and∧ϕ∈∅ ϕ := >. To say that a set of formulas is SWKH-consistent

(or just consistent) means that the set of formulas is not inconsistent. Consistency orinconsistency of a formula refers to the consistency or inconsistency of the singleton setcontaining the formula.

AxiomsTAUT Tautologies for propositional logic

DISTU (Up ∧ U(p→ q))→ UqTU Up→ p

4WKhU Khw(p, q)→ UKhw(p, q)5WKhU ¬Khw(p, q)→ U¬Khw(p, q)EMPWKh U(p→ q)→ Khw(p, q)UWKh (U(p′ → p) ∧ U(q → q′) ∧ Khw(p, q))→ Khw(p′, q′)Rules

MPϕ,ϕ→ ψ

ψ

NECUϕ

UϕSUB

ϕ

ϕ[ψ/p]

Table 4.1: System SWKH

All the axioms here except UWKh are also axioms in the axiomatic system addressedin Wang (2015a), where UWKh is deducible from the composition axiom. As observedin Example 4.2.5, the composition axiom is not valid by our semantics. This means thatthe system here is strictly weaker than Wang (2015a)’s system, which is in line with thefact that here knowledge-how is interpreted in a weaker way. However, even though thesystem is weaker, the proof of its completeness is non-trivial. We will explain why inthe next section.

Proposition 4.2.7 ` Uχ ∧ Uψ → U(χ ∧ ψ)

PROOF(1) ` χ→ (ψ → (χ ∧ ψ)) by propositional logic(2) ` U(χ→ (ψ → (χ ∧ ψ))) by Rule NECU(3) ` Uχ→ U(ψ → (χ ∧ ψ)) by Axiom DISTU

(4) ` U(ψ → (χ ∧ ψ))→ (Uψ → U(χ ∧ ψ)) by Axiom DISTU

(5) ` Uχ→ (Uψ → U(χ ∧ ψ)) by (3) and (4)


(6) ` Uχ ∧ Uψ → U(χ ∧ ψ) by propositional logic 2

Next, we show that SWKH is sound with respect to the standard semantics.

Proposition 4.2.8 � U(p′ → p) ∧ U(q → q′) ∧ Khw(p, q)→ Khw(p′, q′)

PROOF Assuming thatM, s � U(p′ → p)∧U(q → q′)∧Khw(p, q), we need to showthatM, s � Khw(p′, q′). SinceM, s � Khw(p, q), it follows that there exists σ ∈ Act∗such that for each w ∈ JpK and each t ∈ TermiSs(w, σ) we have M, t � q (∗).In order to show M, s � Khw(p′, q′), we only need to show that M, t′ � q′ for eachw′ ∈ Jp′K and each t′ ∈ TermiSs(w′, σ).

Given w′ ∈ Jp′K, it follows byM, s � U(p′ → p) that w′ ∈ JpK. Due to (∗), wehave that for each t′ ∈ TermiSs(w′, σ): M, t′ � q, namely t′ ∈ JqK. Moreover, sinceM, s � U(q → q′), we have JqK ⊆ Jq′K. Therefore, we have that t′ ∈ Jq′K, namelyM, t′ � q′, for each t′ ∈ TermiSs(w′, σ). Thus, we have thatM, s � Khw(p′, q′). 2

Since U is a universal modality, DISTU, TU and EMPWKh are obviously valid. Becausethe modality Khw is not local, it is easy to show that 4WKhU and 5WKhU are valid. Alongwith Proposition 4.2.8, we have that all axioms are valid. Moreover, due to a standardargument in modal logic, we know that the rules MP, NECU and SUB preserve a formula’svalidity. Therefore, the soundness of SWKH follows immediately.

Theorem 4.2.9 (Soundness) SWKH is sound on the standard semantics.

4.3 Deductive completenessThis section will show that SWKH is complete with respect to the standard semantics.For the same reason as in Wang (2015a), we will build a canonical model for a givenmaximally consistent set (MCS). The reason is that the semantics of Khw formulas doesnot depend on the current state. Thus if they are true, they are true everywhere in themodel. It follows that we cannot build a single canonical model to realize all the consist-ent sets of LKHW formulas simultaneously because bothKhw(ψ,ϕ) and ¬Khw(ψ,ϕ) canbe consistent. Instead, for each maximally consistent set of LKHW formulas, we build aseparate canonical model.

However, the canonical model in Wang (2015a) does not work here because thecomposition axiom is not valid here, just as shown in Example 4.2.5. We need a newmethod to construct the canonical model. The canonical model here is also based on agiven maximally consistent set Γ, but there are some critical differences. First, the stateof the canonical model is a pair consisting of a maximally consistent set and a marker.The marker plays an important role in defining the binary relations of actions. Second,each knowing-how formula is realized by a weak conformant plan consisting of twoactions.

Definition 4.3.1 We say that a set ∆ of formulas is maximally consistent in LKHW if ∆is consistent, and any set of formulas properly containing Γ is inconsistent. If ∆ is amaximally consistent set of formulas then we say it is an MCS.

Let Γ be an MCS in LKHW. In the following, we will build a canonical model for Γ.We first prepare ourselves with some auxiliary notions and some handy propositions.


Given a set of LKHW formulas ∆, let ∆|Khw and ∆|¬Khw be the collections of itspositive and negative Khw formulas:

∆|Khw = {θ ∈ ∆ | θ is of the form Khw(ψ,ϕ)};∆|¬Khw = {θ ∈ ∆ | θ is of the form ¬Khw(ψ,ϕ)}.

Definition 4.3.2 Let ΦΓ be the set of all MCS ∆ such that ∆|Khw = Γ|Khw .

Note that ΦΓ is the set of all MCSs that share the same Khm formulas with Γ. Thecanonical model for Γ will be based on the MCSs in ΦΓ. Since every ∆ ∈ ΦΓ ismaximally consistent, the following proposition shows an obvious property of ΦΓ.

Proposition 4.3.3 For each ∆ ∈ ΦΓ, we haveKhw(ψ,ϕ) ∈ Γ if and only ifKhw(ψ,ϕ) ∈∆ for all Khw(ψ,ϕ) ∈ LKHW.

By a standard argument of Lindenbaum’s lemma (cf. Blackburn et al. (2001)), wehave the following proposition.

Proposition 4.3.4 If ∆ is consistent then there is an MCS Γ such that ∆ ⊆ Γ.

The following proposition reveals a crucial property of ΦΓ, which will be used re-peatedly later on.

Proposition 4.3.5 If ϕ ∈ ∆ for all ∆ ∈ ΦΓ then Uϕ ∈ ∆ for all ∆ ∈ ΦΓ.

PROOF Suppose ϕ ∈ ∆ for all ∆ ∈ ΦΓ, then by the definition of ΦΓ, ¬ϕ is not con-sistent with Γ|Khw∪Γ|¬Khw , for otherwise Γ|Khw∪Γ|¬Khw∪{¬ϕ} can be extended into amaximally consistent set in ΦΓ due to Proposition 4.3.4, which contradicts the assump-tion that ϕ ∈ ∆ for all ∆ ∈ ΦΓ. Thus there areKhw(ψ1, ϕ1), . . . ,Khw(ψk, ϕk) ∈ Γ|Khw

and ¬Khw(ψ′1, ϕ′1), . . . , ¬Khw(ψ′l, ϕ′l) ∈ Γ|¬Khw such that

`∧

1≤i≤k

Khw(ψi, ϕi) ∧∧

1≤j≤l

¬Khw(ψ′j , ϕ′j)→ ϕ.

By NECU,` U(

∧1≤i≤k


1≤j≤l

¬Khw(ψ′j , ϕ′j)→ ϕ).

By DISTU we have:

` U(∧

1≤i≤k


1≤j≤l

¬Khw(ψ′j , ϕ′j))→ Uϕ.

Since Khw(ψ1, ϕ1), . . . , Khw(ψk, ϕk) ∈ Γ|Khw , it follows that UKhw(ψ1, ϕ1), . . . ,UKhw(ψk, ϕk) ∈ Γ due to 4WKhU and the fact that Γ is a maximally consistent set.Similarly, we have U¬Khw(ψ′1, ϕ′1), . . . , U¬Khw(ψ′j , ϕ′j) ∈ Γ due to 5WKhU. By Pro-position 4.2.7, it follows that

U(∧

1≤i≤k


1≤j≤l

¬Khw(ψ′j , ϕ′j)) ∈ Γ.

Now it is immediate that Uϕ ∈ Γ. Due to Proposition 4.3.3, Uϕ ∈ ∆ for all ∆ ∈ ΦΓ. 2


Proposition 4.3.6 Given Khw(ψ,ϕ) ∈ Γ and ∆ ∈ ΦΓ, if ψ ∈ ∆ then there exists∆′ ∈ ΦΓ such that ϕ ∈ ∆′.

PROOF Assuming Khw(ψ,ϕ) ∈ Γ and ψ ∈ ∆ ∈ ΦΓ, if there does not exist ∆′ ∈ ΦΓ

such that ϕ ∈ ∆′, it means that ¬ϕ ∈ ∆′ for all ∆′ ∈ ΦΓ. It follows by Proposition4.3.5 that U¬ϕ ∈ Γ, and then U(ϕ→ ⊥) ∈ Γ. Since U(ϕ→ ⊥) and Khw(ψ,ϕ) ∈ Γ, itfollows by UWKh that Khw(ψ,⊥) ∈ Γ, namely U¬ψ ∈ Γ. By Proposition 4.3.3, we havethat U¬ψ ∈ ∆. It follows by TU that ¬ψ ∈ ∆. This is in contradiction with ψ ∈ ∆.Therefore, there exists ∆′ ∈ ΦΓ such that ϕ ∈ ∆′. 2

Next, we will construct the canonical model for the MCS Γ. It is crucial firstto understand the ideas behind the canonical model construction. Besides satisfyingKhw(ψ,ϕ), the canonical model also needs to meet the following two requirements.

(1) Generally, Khw(ψ,ϕ) cannot be satisfied by a one-step plan. Otherwise, thecanonical model will always satisfy the formula that Khw(p,¬p) ∧ Khw(¬p, q) →Khw(p, q) which is not a valid formula. Therefore, in the canonical model, Khw(ψ,ϕ)will be realized by a two-step plan 〈ψ,ψϕ〉〈ψϕ,ϕ〉. If we already reach a ϕ-state by thefirst step 〈ψ,ψϕ〉, we do not need to go further anymore. If we arrive at a ¬ϕ-state by〈ψ,ψϕ〉, then we need to make sure that doing the second step 〈ψϕ,ϕ〉 on this state willachieve only ϕ-states.

(2) If 〈ψ,ψϕ〉〈ψϕ,ϕ〉 is a weak conformant plan for Khm(ψ,ϕ), then 〈ψ,ψϕ〉 mustbe executable on at least one ¬ψ-state. The reason is that if 〈ψ,ψϕ〉 is only executableat ψ-states then the canonical model will always satisfy Khw(ψ,ϕ) → Khw(ψ ∨ ϕ,ϕ)which is not a valid formula. If we allow 〈ψ,ψϕ〉 also executable at ¬ψ-states, we musttreat the step from ψ-states and ¬ψ-states differently. Otherwise, the canonical modelwill always satisfy Khw(ψ,ϕ) → Khw(>, ϕ). Our method is that the step 〈ψ,ψϕ〉starting from ψ-states will reach only states marked with ψϕ. This is why we includeψϕ markers in the building blocks of the canonical model besides maximally consistentset.3

Definition 4.3.7 (Canonical Model) The canonical model for Γ is a quadrupleMcΓ =

〈Sc, ActΓ, Rc, V c〉 where:

• Sc = {(∆, ψϕ) | ∆ ∈ ΦΓ,Khw(ψ,ϕ) ∈ Γ}. We write the pair in S as w, v, · · · ,and refer to the first entry of w ∈ S as L(w), to the second entry as R(w);

• ActΓ = {〈ψ,ψϕ〉, 〈ψϕ,ϕ〉 | Khw(ψ,ϕ) ∈ Γ};

• w 〈ψ,ψϕ〉−−−−→c w′ ⇐⇒ If ψ ∈ L(w) then R(w′) = ψϕ;

• w 〈ψϕ,ϕ〉−−−−→c w′ ⇐⇒ R(w) = R(w′) = ψϕ, ¬ϕ ∈ L(w) and ϕ ∈ L(w′);

• p ∈ V c(w) ⇐⇒ p ∈ L(w).

For each w ∈ S, we also call w a ψ-state if ψ ∈ L(w).

3In Wang (2015a), the canonical models are much simpler: we just need MCSs and the canonical relationsare simply labelled by 〈ψ,ϕ〉 for Kh(ψ,ϕ) ∈ Γ.


Please note that Sc is non-empty because (Γ,>>) ∈ Sc. We first show that each∆ ∈ ΦΓ appears as L(w) for some w ∈ Sc.

Proposition 4.3.8 For each ∆ ∈ ΦΓ, there exists w ∈ Sc such that L(w) = ∆.

PROOF Since ` > → >, it follows by NECU that ` U(> → >). Thus, we haveU(> → >) ∈ Γ. It follows by EMPWKh that Khw(>,>) ∈ Γ. Thus, we have that(∆,>>) ∈ Sc. 2

Since Γ ∈ ΦΓ, it follows by Proposition 4.3.8 that Sc 6= ∅.The following proposition indicates that in the canonical model each knowing-how

formula Kh(ψ,ϕ) is realized by a plan whose length is no more than 2.

Proposition 4.3.9 If there is σ = a1 · · · an ∈ Act∗Γ where n ≥ 3 such that for eachψ-state w ∈ Sc and each state t ∈ TermiSs(w, σ) we have ϕ ∈ L(t), then there existsσ′ = a′1 · · · a′k ∈ Act

∗Γ where k ≤ n − 1 such that for each ψ-state w ∈ Sc and each

state t ∈ TermiSs(w, σ) we have ϕ ∈ L(t).

PROOF Let s be a ψ-state such that s σ−→c t for some t ∈ Sc. If there is no such astate, it is easy to show that TermiSs(w, σ) = TermiSs(w, σn−1) for each ψ-statew, and then σ′ = a1 · · · an−1 satisfies the conditions. Next we proceed the proof byconsidering the following two cases according to the form of a1.

• a1 = 〈ψ1ϕ1, ϕ1〉We will show that σ′ = ε satisfies that for each ψ-state w ∈ Scand each state t ∈ TermiSs(w, σ′) we have ϕ ∈ L(t). We only need to showthat ψ → ϕ ∈ ∆ for each ∆ ∈ ΦΓ. If not, there exists ∆′ ∈ ΦΓ such that{ψ,¬ϕ} ⊂ ∆′. Let χ be a formula such that ` χ ↔ ψ1 and χ 6= ψ1. Since` χ → >, it follows by NECU and EMPWKh that Khw(χ,>) ∈ Γ. Then we have aψ-state w′ = (∆′, χ>) ∈ Sc. Since χ 6= ψ1, a1 is not executable on w′, and thenwe have {w′} = TermiSs(w′, σ). Since ¬ϕ ∈ L(w′), this is in contradictionwith our assumption. Thus we have ψ → ϕ ∈ ∆ for each ∆ ∈ ΦΓ.

• a1 = 〈ψ1, ψ1ϕ1〉 There are two cases based on the form of a2:

– a2 = 〈ψ2, ψ2ϕ2〉 There are two cases: U¬ψ2 ∈ Γ or not.

∗ There is no ∆ ∈ ΦΓ such that ¬ψ2 ∈ ∆. Let σ′ = a2 · · · an. Given a ψ-state w, next we will show that if t ∈ TermiSs(w, σ′) then ϕ ∈ L(t).For each t ∈ TermiSs(w, σ′) we have w a2−→c t

′ · · · ak−→c t where2 ≤ k ≤ n. Duo to ψ2 ∈ L(w), it follows by the definition of a2−→c

that t′ = (∆′, ψ2ϕ2) for some ∆′ ∈ ΦΓ. What is more, for each s′

with s a1−→c s′, we have s′ a2−→c t

′ duo to ψ2 ∈ L(s′). (Please note sis the state we mentioned at the beginning of the proof.) It follows thatt ∈ TermiSs(s, σ). It follows by assumption that ϕ ∈ L(t).

∗ There exists ∆ ∈ ΦΓ such that ¬ψ2 ∈ ∆. Let s′ = (∆, ψ1ϕ1) for some¬ψ2 ∈ ∆. It follows that s a1−→c s

′ and s′ a2−→c t′ for each t′ ∈ Sc.

Let σ′ = a3 · · · an. Given a ψ-state w, we have s a1−→c s′ a2−→c w. For

each t ∈ TermiSs(w, σ′), it follows that t ∈ TermiSs(s, σ). Thus,we have ϕ ∈ L(t). Therefore, σ′ satisfies the conditions.


– a2 = 〈ψ2ϕ2, ϕ2〉 There are two cases: U(ψ → ψ1) ∈ Γ or not.

∗ There exists ∆ ∈ ΦΓ such that ψ,¬ψ1 ∈ ∆. In this case, it must bethat ϕ ∈ ∆′ for each ∆′ ∈ ΦΓ. If not, let t = (∆′, ψ′2ϕ2) where¬ϕ ∈ ∆′, ` ψ2 ↔ ψ′2 and ψ2 6= ψ2. Let w be a state such that{ψ,¬ψ1} ⊂ L(w). It follows that w a1−→c t and a2 is not executableat t. Thus, t ∈ TermiSs(w, σ). By assumption, we have ϕ ∈ L(t).Contradiction. Therefore, we have ϕ ∈ ∆′ for each ∆′ ∈ ΦΓ. Then,σ′ = ε satisfies that for each ψ-state w and each t ∈ TermiSs(w, σ′)we have ϕ ∈ L(t).

∗ There is no ∆ ∈ ΦΓ such that ψ,¬ψ1 ∈ ∆. Thus, we have ψ1 ∈ L(s).(Please note s is the state mentioned at the beginning of the proof.)Since s a1−→c s1

a2−→c s2 for some s1, s2 ∈ Sc, it follows by the defin-ition of a1 and a2 that ψ1 = ψ2 and ϕ1 = ϕ2. Firstly we will showthat ϕ1 → ϕ ∈ ∆ for all ∆ ∈ ΦΓ. If not, there is ∆′ ∈ ΦΓ suchthat {ϕ1,¬ϕ} ⊂ ∆′. Let t = (∆′, ψ1ϕ1) then we have s a1−→c t anda2 is not executable at t. Thus, we have t ∈ TermiSs(s, σ). Since¬ϕ ∈ L(t), it is in contradiction with our assumption. Therefore, wehave ϕ1 → ϕ ∈ ∆ for all ∆ ∈ ΦΓ (??).Let σ′ = a1a2. Given a ψ-state w, for each t ∈ TermiSs(w, σ′), thereare two cases: w a1−→c t and a2 is not executable at t, or w a1−→c w

′ a2−→c

t. Both of them have that ϕ1 ∈ L(t). It follows by (??) that ϕ ∈ L(t).

2

Now we are ready to prove the truth lemma.

Lemma 4.3.10 (Truth Lemma) For each ϕ, we haveMcΓ, w � ϕ iff ϕ ∈ L(w).

PROOF Boolean cases are trivial, and we only focus on the case of Khw(ψ,ϕ).Left to Right: Supposing Khw(ψ,ϕ) ∈ L(w), let a1 = 〈ψ,ψϕ〉 and a2 = 〈ψϕ,ϕ〉,

then we will show thatMcΓ, t � ϕ for each w ∈ JψK and each t ∈ TermiSs(w, a1a2).

Given w ∈ JψK and t ∈ TermiSs(w, a1a2), we will show thatMcΓ, t � ϕ. By IH, we

only need to show that ϕ ∈ L(t). For t ∈ TermiSs(w, a1a2), there are two cases:

• w a1−→c t and a2 is not executable at t. Since w ∈ JψK, it follows by IH thatψ ∈ L(w).By the definition of a1−→c, we have R(t) = ψϕ. Due to ψ ∈ L(w) andKhw(ψ,ϕ) ∈ Γ, it follows by Proposition 4.3.6 that ϕ ∈ ∆′ for some ∆′ ∈ ΦΓ.Thus, (∆′, ψϕ) is a state in Sc. Then, there is only one reason left for a2 notexecutable at t, that is, ¬ϕ 6∈ L(t). Therefore, we have ϕ ∈ L(t).

• w a1−→c w′ a2−→c t for some w′ ∈ Sc. By the definition of a2−→c, it follows that

ϕ ∈ L(t).

Right to Left: IfMcΓ, w � ϕ, we assume that σ = a1 · · · an ∈ Act∗Γ is the shortest

action sequence such thatMcΓ, t � ϕ for each w ∈ JψK and each t ∈ TermiSs(w, σ).

It follows by Proposition 4.3.9 and IH that n ≤ 2. Let us consider the following twocases: n = 0 or n > 0.


• n = 0 It means σ = ε. It follows by IH that ψ ∈ ∆ implies ϕ ∈ ∆ for all ∆ ∈ ΦΓ.Therefore, we have ψ → ϕ ∈ ∆ for all ∆ ∈ ΦΓ. It follows by Proposition 4.3.5that U(ψ → ϕ) ∈ Γ. By EMPWKh, we have that Khw(ψ,ϕ) ∈ Γ. It follows byProposition 4.3.3 that Khw(ψ,ϕ) ∈ L(w).

• n > 0 There are three cases.

– a1 cannot be of the form 〈ψ1ϕ1, ϕ1〉. If a1 = 〈ψ1ϕ1, ϕ1〉, we can showthat ψ → ϕ ∈ ∆ for all ∆ ∈ ΦΓ. If not, there is ∆ ∈ ΦΓ such that{ψ,¬ϕ} ⊂ ∆. Let χ be a formula such that ` ψ1 ↔ χ and ψ1 6= χ. Dueto U(χ → >) ∈ Γ, it follows that Khw(χ,>) ∈ Γ. Thus t = (∆, χ>) is astate in Sc. By IH, we haveMc

Γ, t � ψ. Since a1 is not executable at t, wehave t ∈ TermiSs(t, σ). Therefore,Mc

Γ, t � ϕ. By IH, we have ϕ ∈ L(t).Contradiction. Thus, we have ψ → ϕ ∈ ∆ for all ∆ ∈ ΦΓ. By IH, we havethatMc

Γ, t � ϕ for each w′ ∈ JψK and each t ∈ TermiSs(w′, ε). This is incontradiction with our assumption that σ is the shortest and n > 0.

– an cannot be of the form 〈ψn, ψnϕn〉. If an = 〈ψn, ψnϕn〉, we can showthat ϕ ∈ ∆ for all ∆ ∈ ΦΓ. Otherwise, there is ∆′ ∈ ΦΓ such that ¬ϕ ∈ ∆′.let t = (∆′, ψnϕn). Since σ is the shortest, it follows that there is a state w′

such thatMcΓ, w

′ � ψ, w′σn−1−−−→c v and an is executable at v. Then we have

van−−→c t. Thus, we have that w′ σ−→c t. It follows that t ∈ TermiSs(w′, σ).

Thus, we haveMcΓ, t � ϕ. It follows by IH that ϕ ∈ L(t). Contradiction.

Thus, we have ϕ ∈ ∆ for all ∆ ∈ ΦΓ. By IH, we have thatMcΓ, t � ϕ for

each w′ ∈ JψK and each t ∈ TermiSs(w′, ε). This is in contradiction withour assumption that σ is the shortest and n > 0.

– a1 = 〈ψ1, ψ1ϕ1〉 and a2 = 〈ψ2ϕ2, ϕ2〉.Firstly, we show that there is no ∆ ∈ ΦΓ such that {ψ,¬ψ1} ⊂ ∆, namelyU(ψ → ψ1) ∈ Γ. If there is such a MCS ∆, let w be state such that L(w) =

∆. It follows that w a1−→c t for all t ∈ Sc. Then, it must be that ϕ ∈ ∆′ forall ∆′ ∈ ΦΓ. Otherwise, let t = (∆′, ψ′2ϕ2) where ¬ϕ ∈ ∆′, ` ψ′2 ↔ ψ2

and ψ′2 6= ψ2. It follows that w a1−→c t and a2 is not executable at t, namelyt ∈ TermiSs(w, a1a2). It follows that Mc

Γ, t � ϕ, and then by IH thatϕ ∈ L(t) = ∆′. Contradiction. Thus, we have ϕ ∈ ∆′ for all ∆′ ∈ ΦΓ.Then, σ′ = ε satisfies that for each w ∈ JψK and each t ∈ TermiSs(w, ε)we haveMc

Γ, t � ϕ. This is in contradiction with σ = a1a2 is the shortestone. Therefore, we have there is no ∆ ∈ ΦΓ such that {ψ,¬ψ1} ⊂ ∆. It,then, follows by Proposition 4.3.5 that U(ψ → ψ1) ∈ Γ.Next, we will show that there is no ∆ ∈ ΦΓ such that {ϕ1,¬ϕ} ⊂ ∆,namely U(ϕ1 → ϕ) ∈ Γ. Since σ is the shortest, we assume that w′, t1, t2are states such that w′ a1−→c t1

a2−→c t2 and w′ ∈ JψK. It follows thatψ1 = ψ2 and ϕ1 = ϕ2. If there is ∆ ∈ ΦΓ such that {ϕ1,¬ϕ} ⊂ ∆,let t = (∆, ψ1ϕ1). It follows that w′ a1−→c t1

a2−→c t. Thus, we havet ∈ TermiSs(w′, a1a2). It follows that Mc

Γ, t � ϕ, and then by IH thatϕ ∈ L(t) = ∆. Contradiction. Thus, we have shown that there is no ∆ ∈ΦΓ such that {ϕ1,¬ϕ} ⊂ ∆, and then by Proposition 4.3.5 that U(ϕ1 →ϕ) ∈ Γ. Due to a1 ∈ ActΓ, we have Khw(ψ1, ϕ1) ∈ Γ. Since we have


shown that U(ψ → ψ1) ∈ Γ and U(ϕ1 → ϕ) ∈ Γ, it follows by UWKh thatKhw(ψ,ϕ) ∈ Γ, and then Khw(ψ,ϕ) ∈ L(w).

2

The key of the completeness proof is to show that each SWKH-consistent set issatisfiable. Due to a standard Lindenbaum-like argument, each SWKH-consistent set offormulas can be extended to a maximally consistent set Γ. Due to the truth lemma, wehave thatMc

Γ, (Γ,>>) � Γ. The completeness of SWKH follows immediately.

Theorem 4.3.11 (Strong Completeness) SWKH is strongly complete on the standardsemantics.

4.4 DecidabilityThis section will show that the problem whether a formula ϕ is valid with respect tothe standard semantics is decidable. The strategy is that we firstly define a nonstandardsemantics and then show that ϕ is valid with respect to the standard semantics if andonly if ϕ is valid with respect to the nonstandard semantics. Next, we show that ϕ has abounded small model if ϕ is satisfiable with respect to the nonstandard model.

Definition 4.4.1 (Nonstandard semantics) Given a pointed modelM, s and a formulaϕ, we writeM, s ϕ to mean that ϕ is true atM, s with respect to the nonstandardsemantics . The nonstandard semantics is defined by the following induction onformula construction.

M, s > alwaysM, s p ⇐⇒ s ∈ V (p).M, s ¬ϕ ⇐⇒M, s ϕ.M, s ϕ ∧ ψ ⇐⇒M, s ϕ andM, s ψ.M, s Khw(ψ,ϕ) ⇐⇒ there exists a ∈ Act• such that for allM, u ψ :

a is executable at u andM, v ϕ for all v ∈ Ra(u)

where Act• = Act ∪ {ε}. To say ϕ is valid with respect to the nonstandard semantics,written ϕ, meansM, s ϕ for all pointed modelM, s.

In this nonstandard semantics, the knowledge-how is interpreted almost the sameas in Moore’s first interpretation (I). The only difference is that the witness action forthe knowledge-how might be epsilon ε. Intuitively, this means that if ϕ is true in eachψ-state then we know how to achieve ϕ given ψ trivially by doing nothing.

LetM, s Uϕ be defined asM, u ϕ for all u ∈ S. It is easy to show that

M, s Uϕ ⇐⇒ M, s Khw(¬ϕ,⊥)

To show that � ϕ if and only if ϕ, since the axiom system SWKH is sound andcomplete with respect to the standard semantics, we only need to show that SWKH isalso sound and complete on the nonstandard semantics.

Since Khw is also a universal modality, it is easy to verify that SWKH is sound onthe nonstandard semantics.


Proposition 4.4.2 (Soundness w.r.t. nonstandard semantics) If ` ϕ then ϕ.

Next, we will show that SWKH is complete on the nonstandard semantics. The keyis to construct a model for a given consistent formula ϕ such that ϕ is satisfiable in themodel on the nonstandard semantics.

Here are some notions before we construct the model for ϕ. We use Sub(ϕ) todenote the set of all sub-formulas of ϕ. Let ∼ψ = χ if ψ = ¬χ, otherwise, ∼ψ = ¬ψ.It is obvious that ` ¬ψ ↔ ∼ψ. We use Sub+(ϕ) to denote the set Sub(ϕ)∪{∼ψ | ψ ∈Sub(ϕ)}.

Similar to the completeness of SWKH to the standard semantics, the model we aregoing to construct here is based on maximally consistent sets in the set Sub+(ϕ).

Proposition 4.4.3 If Γ is a consistent subset of Sub+(ϕ) then there exists an MCS B inSub+(ϕ) such that Γ ⊆ B.

PROOF Let Φ be the set of all MCSs in Sub+(ϕ). It is easy to show that `∨A∈ΦA.

Assume that there is no A ∈ Φ such that Γ ⊆ A. It follows that there is ψ ∈ Γ such that∼ψ ∈ A. Thus, we have A ` ¬ψ. Since ` ¬ψ → ¬

∧Γ, it follows that A ` ¬

∧Γ.

Therefore, `∨A∈ΦA → ¬

∧Γ, and then we have ` ¬

∧Γ. This is in contradiction

with Γ being consistent. Thus, we have that there exists A ∈ Φ such that Γ ⊆ A. 2

As we did in Section 4.3, here we will construct the model based on a given MCS inSub+(ϕ). Let A be an MCS in Sub+(ϕ). We use ΘA to denote A|Khw ∪ A|¬Khw . Themodel based on A is defined in the following.

Definition 4.4.4 The modelMA = 〈SA, ActA, RA, V A〉 is defined as follows.

• SA = {B is an MCS in Sub+(ϕ) | (B|Khw ∪B|¬Khw) = ΘA};

• ActA = {〈χ, ψ〉 | Khw(χ, ψ) ∈ ΘA};

• B 〈χ,ψ〉−−−→ B′ ⇐⇒ χ ∈ B and ψ ∈ B′, for each 〈χ, ψ〉 ∈ ActA;

• p ∈ V A(B) ⇐⇒ p ∈ B, for each p ∈ Sub+(ϕ).

The domain SA is non-empty because A ∈ SA. Next, we will show the truth lemmafor this model. Before that, we first prepare ourselves with some useful handy proposi-tions.

Proposition 4.4.5 ΘA ` U∧

ΘA

PROOF Let∧

ΘA := θ1 ∧ θ2 where θ1 := Khw(χ1, ψ1) ∧ · · · ∧ Khw(χn, ψn) andθ2 := ¬Khw(χ′1, ψ′1) ∧ · · · ∧ ¬Khw(χ′m, ψ′m). It follows by Axiom 4WKhU and Propos-ition 4.2.7 that ` θ1 → Uθ1. It follows by Axiom 5WKhU and Proposition 4.2.7 that` θ2 → Uθ2. Again by Proposition 4.2.7, we have ` θ1 ∧ θ2 → U(θ1 ∧ θ2). Thus, wehave ΘA ` U

∧ΘA. 2

Proposition 4.4.6 For each ψ ∈ Sub+(ϕ), if ψ ∈ B for all B ∈ SA then ΘA ` Uψ.


PROOF Since ψ ∈ B for all B ∈ SA, it follows that ΘA ∪ {¬ψ} is inconsistent. Itfollows that `

∧ΘA → ψ. By Rule NECU, it follows that ` U(

∧ΘA → ψ). It follows

by Axiom DISTU that ` U∧

ΘA → Uψ. By Proposition 4.4.5, it follows that Therefore,ΘA ` Uψ. 2

Proposition 4.4.7 Given χ ∈ Sub+(ϕ) and B ∈ SA, if χ ∈ B implies that 〈χ′, ψ′〉 ∈ActA is executable at B then we have ΘA ` U(χ→ χ′).

PROOF Assume that ΘA ∪{χ,∼χ′} is consistent. It follows that there exists C ∈ SAsuch that ΘA ∪ {χ,∼χ′} ⊆ C. It follows that χ ∈ C and 〈χ′, ψ′〉 is not executable atC. Contradiction. Therefore, ΘA ∪{χ,∼χ′} is inconsistent. Thus, we have `

∧ΘA →

(χ→ χ′). It follows by Rule NECU and Axiom DISTU that ` U∧

ΘA → U(χ→ χ′). Itfollows by Proposition 4.4.5 that ΘA ` U(χ→ χ′). 2

Proposition 4.4.8 Given ψ ∈ Sub+(ϕ), 〈χ′, ψ′〉 ∈ Sub+(ϕ) and B ∈ SA, if 〈χ′, ψ′〉is executable at B, and ψ ∈ B′ for each B′ ∈ SA with B

〈χ′,ψ′〉−−−−→ B′, then we haveΘA ` U(ψ′ → ψ).

PROOF Assume that ΘA∪{ψ′,∼ψ} is consistent. It follows that there exists C ∈ SA

such that ΘA ∪ {ψ′,∼ψ} ⊆ C. It follows that Bχ′,ψ′−−−→ C. It follows that ψ ∈ C.

Contradiction. Therefore, ΘA ∪ {ψ′,∼ψ} is inconsistent. Thus, we have `∧

ΘA →(ψ′ → ψ). It follows by Rule NECU and Axiom DISTU that ` U

∧ΘA → U(ψ′ → ψ).

It follows by Proposition 4.4.5 that ΘA ` U(ψ′ → ψ). 2

Now we are ready to prove the truth lemma for the model defined in Definition 4.4.4.

Proposition 4.4.9 For each ψ ∈ Sub+(ϕ),MA, B ψ iff ψ ∈ B.

PROOF Boolean cases are trivial; we only focus on the case of Khw(χ, ψ).Right to Left: It follows that 〈χ, ψ〉 ∈ ActA. Given MA, C χ, it follows that

ψ ∈ C ′ if C〈χ,ψ〉−−−→ C ′. It follows by IH that MA, C ′ ψ. Thus, we only need to

show that 〈χ, ψ〉 is executable at C, namely there exists C ′ ∈ SA such that ψ ∈ C ′.Assume that there is no C ′ ∈ SA such that ψ ∈ C ′. It follows by Proposition 4.4.6that ΘA ` U∼ψ. Thus, we have ΘA ` U(ψ → ⊥). Since ΘA ⊆ C, it follows thatC ` U(ψ → ⊥). Since Khw(χ, ψ) ∈ B, it follows that Khw(χ, ψ) ∈ ΘA, and thatKhw(χ, ψ) ∈ C. Therefore, it follows by Axiom UWKh that C ` Khw(χ,⊥), namelyC ` U∼χ. It follows by Axiom TU that C ` ∼χ, namely C ` ¬χ. Contradiction.Therefore, there exists C ′ ∈ SA such that ψ ∈ C ′.

Left to Right: IfM, B Khw(χ, ψ), it follows that there exists a ∈ (ActA)• suchthat for eachM, C χ, we have a is executable at C andM, C ′ ψ for all C ′ ∈ SAwith C a−→ C ′. There are three cases:

• a = ε. It follows that M, C ψ if M, C χ. By IH, we have that χ ∈ Cimplies ψ ∈ C for all C ∈ SA. Therefore, we have ΘA ∪{χ,¬ψ} is inconsistent.It follows that ΘA ` χ → ψ. It follows by Rule NECU, Axiom DISTU, andProposition 4.4.5 that ΘA ` U(χ → ψ). It follows by Axiom EMPWKh that ΘA `Khw(χ, ψ). Therefore, Khw(χ, ψ) ∈ B.


• a = 〈χ′, ψ′〉 ∈ ActA and there is no C ∈ SA such that χ ∈ C. It follows thatΘA ∪ {∼χ} is inconsistent. Thus, we have ΘA ` ¬χ. It follows by Rule NECU,Axiom DISTU, and Proposition 4.4.5 that ΘA ` U¬χ, namely ΘA ` Khw(χ,⊥).Since ` U(⊥ → ψ), it follows by Axiom UWKh that ΘA ` Khw(χ, ψ). Thus, wehave Khw(χ, ψ) ∈ B.

• a = 〈χ′, ψ′〉 ∈ ActA and χ ∈ C for some C ∈ SA. It follows by IH that foreach χ ∈ B′ we have 〈χ′, ψ′〉 is executable at B′. It follows by Proposition 4.4.7that ΘA ` U(χ → χ′). It follows by IH that ψ ∈ C ′ for each C ′ ∈ SA with

C〈χ′,ψ′〉−−−−→ C ′. It follows by Proposition 4.4.8 that ΘA ` U(ψ′ → ψ). Since

〈χ′, ψ′〉 ∈ ActA, it follows that ΘA ` Khw(χ′, ψ′). It follows by Axiom UWKh

that ΘA Khw(χ, ψ). Thus, we have Khw(χ, ψ) ∈ B.

2

Proposition 4.4.10 (Completeness w.r.t. nonstandard semantics) If ϕ then ` ϕ.

PROOF We only need to show that if ϕ is consistent then ϕ is satisfiable with respectto the nonstandard semantics . If ϕ is consistent, it follows by Proposition 4.4.3 thatthere is an MCS A in Sub+(ϕ) such that ϕ ∈ A. It follows by Proposition 4.4.9 thatM, A ϕ. 2

Proposition 4.4.11 (Small model property) If ϕ is satisfiable with respect to the non-standard semantics, then there is a modelM such thatM, s ϕ and the model is ofsize at most 2k, where k = |Sub+(ϕ)|.

PROOF If ϕ is satisfiable with respect to the nonstandard semantics, it follows by Pro-position 4.4.2 that ϕ is consistent. Then by Definition 4.4.4, we can construct a modelMA where A is an MCS in Sub+(ϕ) and ϕ ∈ A. It follows by Proposition 4.4.10 thatMA, A ϕ. It is obvious that |MA| ≤ O(2|ϕ|). 2

It follows by Propositions 4.4.2 and 4.4.10 that SWKH is sound and complete withrespect to the nonstandard semantics . Since SWKH is also sound and complete withrespect to the standard semantics �, we have the following lemma.

Proposition 4.4.12 � ϕ if and only if ϕ.

Theorem 4.4.13 (Decidability) The problem whether ϕ is valid on the standard se-mantics is decidable.

PROOF To decide whether ϕ is valid on the standard semantics, it follows by Proposi-tion 4.4.12 that we only need to decide whether ϕ is valid on the nonstandard semantics.In other words, we only need to decide whether ¬ϕ is satisfiable on the nonstandardsemantics. It follows by Proposition 4.4.11 that the problem whether ¬ϕ is satisfiableon the nonstandard semantics is decidable. 2

4.5. CONCLUSION 85

4.5 ConclusionIn this chapter, we interpret the knowing-how formula Khw(ψ,ϕ) as that the agent has aweak conformant plan for achieving ϕ given ψ, and a weak conformant plan for achiev-ing ϕ-states from ψ-states is a finite linear action sequence such that the performance ofthe action sequence at each ψ-state will always end up with a ϕ-state, whether or not allparts of the plan have been completed. Our interpretation of knowledge-how is weakerthan the one in Wang (2015a), where knowledge-how is interpreted as that the agent hasa conformant plan, but our interpretation is more realistic. We also presented a soundand complete axiomatic system. This shows that this system is weaker than the systemaddressed in Wang (2015a). We also showed that this logic is decidable by reducing theproblem to a decidable problem to the nonstandard semantics.

One more interesting thing is that the canonical model is more complicated thanthe one of Wang (2015a) even though the axiomatic system is weaker. Mainly, Khwformulas are realized by a two-step plan in our canonical model while they are realizedby a one-step plan in the canonical model in Wang (2015a). This also affords us someuseful ideas about how to construct the decision procedure for the logic with a tableaumethod. For example, for the tableau system of our logic, it is not enough to consideronly one-step plans.

The nonstandard semantics played a major role in this paper not only because it is thekey step in the proof of the decidability but also because it reveals the fact that our form-alization of knowledge-how is in principle the same as in Moore’s first interpretation. Italso shows that Moore’s interpretation does not contain the trivial case of knowing howto guarantee a state of affairs by doing nothing.

For future directions, we can express the existence of a weak conformant plan in thelogic framework proposed in Yu et al. (2016) where the existence of a conformant plancan be expressed by a formula. Moreover, we can study the knowing-how logic under afixed action set. In our model, the action setAct is a part of the model, but it is clear thatfor different Act we will get different logics. For example, if Act is empty, Khw(ψ,ϕ)is equivalent to U(ψ → ϕ). If Act is a singleton, the formula Khw(p, q) ∧ Khw(q, r)→Khw(p, r) will be valid under our standard semantics. The more interesting thing is tocompare the logic containing a finite Act with the logic containing an infinite Act.

Another exciting research field is the multi-agent version of Khw. We can also con-sider group notions of “knowing how”. Especially, the distributed knowledge-how willbe very useful. If you know how to achieve B from A and I know how to achieve C fromB, we two together should know how to achieve C from A. Moreover, it also makes goodsense to extend our language with a public announcement operator. The update of thenew information will result in the change of the background information throughout themodel, and this will affect the knowledge-how.

Chapter 5

Strategically knowing how1

5.1 IntroductionStandard epistemic logic focuses on reasoning about propositional knowledge expressedby knowing that ϕ (see Hintikka (1962)). However, in natural language, various otherknowledge expressions are also frequently used, such as knowing what, knowing how,knowing why, and so on.

In particular, knowing how receives much attention in both philosophy and AI. Epi-stemologists debate about whether knowledge-how is also propositional knowledge (seeFantl (2008)), e.g., whether knowing how to swim can be rephrased in terms of knowingthat. In AI, it is crucial to let autonomous agents know how to accomplish certain goalsin robotics, game playing, decision making, and multi-agent systems. In fact, a largebody of AI planning can be viewed as finding algorithms to let the autonomous plannerknow how to achieve some propositional goals, i.e., to obtain goal-directed knowledge-how (see Gochet (2013)). Here, both propositional knowledge and knowledge-how mat-ter, especially in the planning problems where initial uncertainty and non-deterministicactions are present. From a logician’s point of view, it is interesting to see how know-ing how interacts with knowing that, and how they differ in their reasoning patterns. Alogic of knowing how also helps us find a notion of consistency regarding knowledgedatabases.

Example 5.1.1 Consider the scenario where a doctor needs a plan to treat a patient andcure his pain, under the uncertainty about some possible allergy. If there is no allergy,then simply taking some pills can cure the pain, and the surgery is not a legitimateoption. On the other hand, in presence of the allergy, the pills may cure the pain or haveno effect at all, while the surgery can cure the pain for sure. Let p denote that the patienthas the pain, and let q denote that there is an allergy. The model in Figure 5.1 representsthis scenario with an additional action of testing whether q. The dotted line representsthe initial uncertainty about q, and the test on q can eliminate this uncertainty (there isno dotted line between s3 and s4). According to the model, to cure the pain (guarantee¬p) at the end, it makes sense to take the surgery if the result of the test whether q

1This is based on the paper Fervari et al. (2017) that is co-authored with Raul Fervari, Andreas Herzig,and Yanjing Wang.

87

88 CHAPTER 5. STRATEGICALLY KNOWING HOW

s1 : p,¬q test // s3 : p,¬q pills// s5 : ¬p,¬q

s2 : p, qtest // s4 : p, q

surgery--

pills

��

pills11 s6 : ¬p, q

Figure 5.1: A scenario representing how to cure the pain.

happens to be positive and take the pills otherwise. We can say that the doctor in thiscase knows how to cure the pain.

How can we formalize the knowledge-how of the agent in such scenarios with uncer-tainty? In the early days of AI, people already started to look at it in the setting of logicsof knowledge and action (see McCarthy and Hayes (1969); McCarthy (1979); Moore(1985); Singh (1994); Lesperance et al. (2000); van der Hoek et al. (2000)). However,there has been no consensus on how to capture the logic of “knowing how” formally (cf.the recent surveys Gochet (2013) and Agotnes et al. (2015)). The difficulties are welldiscussed in Jamroga and Agotnes (2007) and Herzig (2015) and simply combining theexisting modalities for “knowing that” and “ability” in a logical language like ATEL (seevan der Hoek and Wooldridge (2003)) does not lead to a genuine notion of “knowinghow”, e.g., knowing how to achieve p is not equivalent to knowing that there exists astrategy to make sure p. It does not work even when we replace the notion of strategy bythe notion of uniform strategy where the agent has to choose the same action on indis-tinguishable states (see Jamroga and Agotnes (2007)). Let ϕ(x) express that x is a wayto make sure some goal is achieved and let K be the standard knowledge-that modality.There is a crucial distinction between the de dicto reading of knowing how (K∃xϕ(x))and the desired de re reading (∃xKϕ(x)) endorsed also by linguists and philosophers(see Quine (1953); Stanley and Williamson (2001)). The latter implies the former, butnot the other way round. For example, consider a variant of Example 1.1 where notest is available: then the doctor has de dicto knowledge-how to cure, but not the dere one. Proposals to capture the de re reading have been discussed in the literature,such as making the knowledge operator more constructive (see Jamroga and Agotnes(2007)), making the strategy explicitly specified (see Herzig et al. (2013); Belardinelli(2014)), or inserting K in-between an existential quantifier and the ability modality inseeing-to-it-that (STIT) logic (see Broersen and Herzig (2015)).

In Wang (2015a, 2016), a new approach is proposed by introducing a single newmodality Khs of (conditional) goal-directed knowing how, instead of breaking it downinto other modalities. This approach is in line with other de re treatments of non-standardepistemic logics of knowing whether, knowing what and so on (cf. Wang (2017) for asurvey). The semantics of Khs is inspired by the idea of conformant planning basedon linear plans (see Smith and Weld (1998); Yu et al. (2016)). It is shown that Khs isnot a normal modality, e.g, knowing how to get drunk and knowing how to drive doesnot entail knowing how to drive when drunk. The work is generalized further in Li andWang (2017) and Li (2017). However, in these previous works, there was no explicitknowing that modality K in the language and the semantics of Khs is based on linearplans, which does not capture the broader notion allowing branching plans or strategies

5.2. THE LOGIC SKH 89

that are essential in the scenarios like Example 5.1.1.In this chapter, we extend this line of work in the following aspects:

• Both the knowing how modality Khs and knowing that modality K are in thelanguage.

• In contrast to the state-independent semantics in Wang (2015a), we interpret Khslocally w.r.t. the current uncertainty.

• Instead of linear plans in Wang (2015a), the semantics of our Khs operator isbased on strategies (branching plans).

The intuitive idea behind our semantics of Khs is that the agent knows how to achieveϕ iff (s)he has an executable uniform strategy σ such that the agent knows that:

• σ guarantees ϕ in the end given the uncertainty;

• σ always terminates after finitely many steps.

Note that for an agent to know how to make sure ϕ, it is not enough to find a planwhich works de facto, but the agent should know it works in the end. This is a strong re-quirement inspired by planning under uncertainty, where the collection of final possibleoutcomes after executing the plan is required to be a subset of the collection of the goalstates (see Geffner and Bonet (2013)).

Technically, our contributions are summarized as follows:

• A logical language with bothKhs andK operators with a semantics which fleshesout formally the above intuitions about knowing how.

• A complete axiomatization with intuitive axioms.

• Decidability of our logic.

This chapter is organized as follows: Section 5.2 lays out the language and semanticsof our framework; Section 5.3 proposes the axiomatization and proves its soundness;we prove the completeness of our proof system and show the decidability of the logic inSection 5.4 before we conclude with future work.

5.2 The logic SKHIn this section, we will introduce our logic of knowing how with strategy, and we denotethe logic as SKH. Firstly, we introduce the language of SKH. Besides the commonboolean operators, there are a knowing-that modality K and a strategically knowing-how modality Khs.

Definition 5.2.1 (Language) Let P be a countable set of propositional symbols. Thelanguage is defined by the following BNF where p ∈ P:

ϕ := p | ¬ϕ | (ϕ ∧ ϕ) | Kϕ | Khsϕ.

We use ⊥,∨,→ as usual abbreviations and write K for ¬K¬.


The formula Kϕ reads “the agent knows that ϕ”. The formula Khsϕ reads “theagent strategically knows how to guarantee ϕ”, that is, the agent has a strategy such thatshe knows that performing the strategy will make her know that ϕ.

Definition 5.2.2 (Models) A model M is a quintuple 〈W,Act,∼, { a−→| a ∈ Act}, V 〉where:

• W is a non-empty set,

• Act is a set of actions,

• ∼ ⊆W ×W is an equivalence relation on W ,

• a−→⊆W ×W is a binary relation on W , and

• V : W → 2P is a valuation.

Note that the labels in Act do not appear in the language. The graph in Figure 5.1.1represents a model with omitted self-loops of ∼ (dotted lines), and the equivalenceclasses induced by ∼ are {s1, s2}, {s3}, {s4}, {s5}, {s6}. In this chapter we do notrequire any properties linking ∼ and a−→ to lay out the most general framework. We willcome back to particular assumptions like perfect recall at the end of the chapter. Givena model and a state s, if there exists t such that s a−→ t, we say that a is executable ats. Also note that the actions can be non-deterministic. For each s ∈ W , we use [s] todenote the equivalence class {t ∈ W | s ∼ t}, and we use [W ] to denote the collectionof all the equivalence classes on W w.r.t. ∼. We use [s]

a−→ [t] to indicate that there ares′ ∈ [s] and t′ ∈ [t] such that s′ a−→ t′. If there is a t ∈ W such that [s]

a−→ [t], we say ais executable at [s].

Definition 5.2.3 (Strategies) Given a model, a (uniformly executable) strategy is a par-tial function σ : [W ] → Act such that σ([s]) is executable at all s′ ∈ [s]. Particularly,the empty function is also a strategy, the empty strategy.

Note that the executability is as crucial as uniformity, without which the knowledge-how may be trivialized. We use dom(σ) to denote the domain of σ. Function σ can beseen as a binary relation on [W ] × Act such that ([s], a), ([s], b) ∈ σ implies a = b.Therefore, given strategies σ and τ with τ ⊆ σ, it follows that dom(τ) ⊆ dom(σ), andτ([s]) = σ([s]) for all [s] ∈ dom(τ).

Definition 5.2.4 (Executions) Given a strategy σ w.r.t a model M, a possible exe-cution (or just execution) of σ is a possibly infinite sequence of equivalence classes

δ = [s0][s1] · · · such that [si]σ([si])−−−−→ [si+1] for all 0 ≤ i < |δ|. Particularly, [s] is a

possible execution if [s] 6∈ dom(σ). If the execution is a finite sequence [s0] · · · [sn], wecall [sn] the leaf-node, and [si](0 ≤ i < n) an inner-node w.r.t. this execution. If it isinfinite, then all [si](i ∈ N) are inner-nodes. A possible execution of σ is complete if itis infinite or its leaf-node is not in dom(σ).

Given δ = [s0] · · · [sn] and µ = [t0] · · · [tm], we use δ v µ to denote that µ extendsδ, i.e., n ≤ m and [si] = [ti] for all 0 ≤ i ≤ n. If δ v µ, we define δ t µ = µ. Weuse CELeaf(σ, s) to denote the set of all leaf-nodes of all the complete executions of

5.2. THE LOGIC SKH 91

s1 a //

a

a

��

s2 b // s3

s4 bgg s5 b // s6

Figure 5.2

σ (which can be many due to non-determinism) starting from [s], and CEInner(σ, s)to denote the set of all the inner-nodes of complete executions of σ starting from [s].CELeaf(σ, s) ∩ CEInner(σ, s) = ∅ since if [s] is a leaf-node of a complete executionthen σ is not defined at [s].

The following is an example to help us get familiar with the notions defined above.

Example 5.2.5 Consider the model depicted in Figure 5.2. Let σ be a function definedas σ = {{s1} 7→ a, {s2, s5} 7→ b, {s4} 7→ b}. We have the following results.

• σ is a strategy.

• All the complete executions of σ starting from [s1] are:

{s1}{s2, s5}{s3}{s1}{s2, s5}{s6}{s1}{s4}{s4} · · · · · ·

• CEInner(σ, s1) = {{s1}, {s2, s5}, {s4}}

• CELeaf(σ, s1) = {{s3}, {s6}}

Definition 5.2.6 (Semantics) Given a pointed modelM, s, the satisfaction relation �is defined as follows:

M, s � p ⇐⇒ p ∈ V (s)M, s � ¬ϕ ⇐⇒ M, s 2 ϕM, s � ϕ ∧ ψ ⇐⇒ M, s � ϕ andM, s � ψM, s � Kϕ ⇐⇒ for all s′ : s∼s′ impliesM, s′ � ϕM, s � Khsϕ ⇐⇒ there exists a strategy σ such that

1.[t]⊆JϕK for all [t]∈CELeaf(σ, s)2. all its complete executionsstarting from [s] are finite,

where JϕK = {s ∈W | M, s � ϕ}.

Note that the two conditions for σ in the semantics of Khs reflect our two intu-itions mentioned in the introduction. The implicit role of K in Khs will become moreclear when the axioms are presented. Going back to Example 5.1.1, we can verifythat Khs¬p holds in s1 and s2 due to the strategy σ = {{s1, s2} 7→ test, {s3} 7→pills, {s4} 7→ surgery}. Note that CELeaf(σ, s) = {[s5], [s6]} = {{s5}, {s6}}and J¬pK = {s5, s6}. On the other hand, Khs¬q is not true in s1: although the agent


can guarantee ¬q de facto in s1 by taking a strategy such that {s1, s2} 7→ test and{s3} 7→ pills, he cannot know it beforehand since nothing works at s2 to make sure¬q. Readers may also verify that Khs(p ↔ q) holds at s1 and s2 (hint: a strategy is apartial function).

The following example shows that (Khsϕ ∧ Khs(ϕ→ ψ))→ Khsψ is not valid.

Example 5.2.7 Let the modelM be depicted as below. It is easy to verify thatM, s �Khsp due to the strategy σ1 = {{s} 7→ a} and thatM, s � Khs(p → q) due to theempty strategy. Since there is no strategy to get to a state where q is true, thus we haveM, s � ¬Khsq.

s : ¬p,¬q a // t : p,¬q

5.3 A deductive systemIn this subsection, we provide a Hilbert-style proof system for the logic SKH and showit is sound.

5.3.1 Axiom system SKHSDefinition 5.3.1 (SKH System) The axiomatic system SKH is shown in Table 5.1. Wewrite SKH ` ϕ (or sometimes just ` ϕ) to mean that the formula ϕ is derivable in theaxiomatic system SKH; the negation of SKH ` ϕ is written SKH 0 ϕ (or just 0 ϕ). Tosay that a set D of formulas is SKH-inconsistent (or just inconsistent) means that thereis a finite subset D′ ⊆ D such that ` ¬

∧D′, where

∧D′ :=

∧ϕ∈D′ ϕ if D′ 6= ∅ and∧

ϕ∈∅ ϕ := >. To say that a set of formulas is SKH-consistent (or just consistent) meansthat the set of formulas is not inconsistent. Consistency or inconsistency of a formularefers to the consistency or inconsistency of the singleton set containing the formula.

AxiomsTAUT all axioms of propositional logicDISTK Kp ∧ K(p→ q)→ KqT Kp→ p4 Kp→ KKp5 ¬Kp→ K¬KpAxKtoKh Kp→ KhspAxKhtoKhK Khsp→ KhsKpAxKhtoKKh Khsp→ KKhspAxKhKh KhsKhsp→ KhspAxKhbot Khs⊥ → ⊥

Rules:

MPϕ,ϕ→ ψ

ψNECK

ϕ

KϕMONOKh

ϕ→ ψ

Khsϕ→ KhsψSUB

ϕ(p)

ϕ[ψ/p]

Table 5.1: System SKHS


Note that we have S5 axioms forK. AxKtoKh says if p is known then you know howto achieve p by doing nothing (we allow the empty strategy). AxKhtoKhK reflects the firstcondition in the semantics that the goal is known after the complete executions. We willcome back to this axiom at the end of the chapter. Note that the termination conditionis not fully expressible in our language but AxKhbot captures part of it by ruling outstrategies that have no terminating complete executions at all. AxKhKh essentially saysthat the strategies can be composed. Its validity is quite involved, to which we devotethe next subsection. Finally, AxKhtoKKh is the positive introspection axiom for Khs,whose validity is due to uniformity of the strategies on indistinguishable states. Thecorresponding negative introspection can be derived by using AxKhtoKKh, 5 and T:

Proposition 5.3.2 ` ¬Khsp→ K¬Khsp.

PROOF(1) ¬KKhsp→ ¬Khsp AxKhtoKKh

(2) K¬KKhsp→ K¬Khsp (1), NECK(3) ¬KKhsp→ K¬KKhsp 5

(4) ¬KKhsp→ K¬Khsp (2), (3), MP(5) ¬Khsp→ ¬KKhsp T

(6) ¬Khsp→ K¬Khsp (4), (5), MP2

Note that we do not have the K axiom for Khs because it is not valid (see Ex-ample 5.2.7). Instead, we have the monotonicity rule MONOKh. In fact, the logic is notnormal, as desired, e.g., (Khsp∧Khsq)→ Khs(p∧q) is not valid: the existence of twodifferent strategies for different goals does not imply the existence of a unified strategyto realize both goals.

5.3.2 SoundnessIn this subsection, we show that the axiom system SKH is sound with respect to thesemantics provided in Section 5.2. Given that the knowing-that modalityK is interpretedin the same way as epistemic logic, we will not show that the S5 axioms and rules forK are sound. Also since the logic is built on a well-understood modal logic, we will notshow that the rules MP and SUB are sound. We will focus on the axioms and rules withthe knowing-how modality Khs.

The following proposition shows the axiom AxKtoKh is valid.

Proposition 5.3.3 � Kϕ→ Khsϕ

PROOF If M, s � Kϕ, it follows that [s] ⊆ JϕK. Let σ be the empty strategy. Itfollows that [s] is the only complete execution of σ starting from [s]. Thus, we haveCELeaf = {[s]}. Since [s] ⊆ JϕK, it follows thatM, s � Khsϕ. 2

The following proposition shows the axiom AxKhtoKhK is valid.

Proposition 5.3.4 � Khsϕ→ KhsKϕ

PROOF If M, s � Khsϕ, it follows that there exists a strategy σ such that all itscomplete executions starting from [s] are finite. Moreover, for each [t] ∈ CELeaf(σ, s),


we have [t] ⊆ JϕK, and then we haveM, t′ � Kϕ for all t′ ∈ [t]. Therefore, we have[t] ⊆ JKϕK for each [t] ∈ CELeaf(σ, s). Thus, we haveM, s � KhsKϕ. 2

The following proposition shows that the axiom AxKhtoKKh is valid.

Proposition 5.3.5 � Khsϕ→ KKhsϕ

PROOF IfM, s � Khsϕ, it follows that there exists a strategy σ such that all its com-plete executions starting from [s] are finite. Moreover, for each [t] ∈ CELeaf(σ, s), wehave [t] ⊆ JϕK. Given s′ ∈ [s], since [s] = [s′], it follows that all complete executionsof σ starting from [s′] are the same as all complete executions of σ starting from [s].Thus, we have CELeaf(σ, s) = CELeaf(σ, s′). Therefore, we haveM, s′ � Khsϕ forall s′ ∈ [s]. It follows thatM, s � KKhsϕ. 2

The following proposition shows that the axiom AxKhbot is valid.

Proposition 5.3.6 � Khs⊥ → ⊥

PROOF We only need to show � ¬Khs⊥. Assuming that M, s � Khs⊥ for somepointed modelM, s. It follows that there exists a strategy σ such that all its completeexecutions starting from [s] are finite and [t] ⊆ J⊥K for each [t] ∈ CELeaf(σ, s). Nomatter whether [s] ∈ dom(σ) or not, we always have CELeaf(σ, s) 6= ∅. It follows thatthere exists [t] ∈ CELeaf(σ, s) such that [t] ⊆ J⊥K. Since [t] 6= ∅ and J⊥K = ∅, it isa contradiction that [t] ⊆ J⊥K. Therefore,Khs⊥ is not satisfiable, and thus � ¬Khs⊥. 2

The following proposition shows that the rule MONOKh preserves the validity.

Proposition 5.3.7 If � ϕ→ ψ then we have � Khsϕ→ Khsψ.

PROOF If � ϕ → ψ and M, s � Khsϕ, we need to show M, s � Khsψ. It fol-lows by M, s � Khsϕ that there exists a strategy σ such that all its complete exe-cutions starting from [s] are finite. Moreover, for each [t] ∈ CELeaf(σ, s), we have[t] ⊆ JϕK. Since � ϕ→ ψ, it follows that JϕK ⊆ JψK. Thus, we have [t] ⊆ JψK for each[t] ∈ CELeaf(σ, s). Therefore, we haveM, s � Khsψ. 2

The axiom AxKhKh is about the “sequential” compositionality of strategies. Supposeon some pointed model there is a strategy σ to guarantee that we end up with the stateswhere on each s of them we have some other strategy σs to make sure p (KhsKhsp).Since the strategies are uniform, we only need to consider some σ[s] for each [s]. Now tovalidate AxKhKh, we need to design a unified strategy to compose σ and those σ[s] intoone strategy to still guarantee p (Khsp). The general idea is actually simple: first orderthose leafnodes [s] (using Axiom of Choice); then by transfinite induction adjust σ[s]

one by one to make sure these strategies can fit together as a unified strategy θ; finally,merge the relevant part of σ with θ into the desired strategy. We make this idea precisebelow. First we need an observation:

Proposition 5.3.8 Given strategies τ and σ with τ ⊆ σ, if [s] ∈ dom(τ) and dom(σ) ∩CELeaf(τ, s) = ∅, then a sequence is a complete execution of σ from [s] if and only if itis a complete execution of τ from [s].


PROOF Left to Right: Let [s0] · · · [sn] · · · be a complete execution of σ from [s]. Wewill show that it is also a complete execution of τ from [s]. Firstly, we show that it ispossible to execute τ from [s]. If it is not, then there exists [si] such that [si] is not theleaf-node of this execution and that [si] 6∈ dom(τ). Let [sj ] be the minimal equivalenceclass in the sequence with such properties. It follows that [sj ] ∈ CELeaf(τ, s) and[sj ] ∈ dom(σ). These are contradictory with dom(σ) ∩ CELeaf(τ, s) = ∅.

Next we will show that [s0] · · · [sn] · · · forms a complete execution of τ from [s].This is obvious if the sequence is infinite. If it is finite, let the leaf-node be [sm]. Itfollows that [sm] 6∈ dom(σ). Since τ ⊆ σ, it follows [sm] 6∈ dom(τ). Therefore, theexecution is complete given τ .

Right to Left: Let [s0] · · · [sn] · · · be a complete execution of τ from [s]; we willshow that it is also a complete execution of σ from [s]. Since τ ⊆ σ, it is also a possibleexecution given σ. If the execution is infinite, this is obvious. If it is finite, let the leaf-node be [sm]. It follows that [sm] ∈ CELeaf(τ, s). Since dom(σ) ∩ CELeaf(τ, s) = ∅,it follows that [sm] 6∈ dom(σ). Therefore, the execution is also complete given σ. 2

Now, we are ready to show that the axiom AxKhKh is valid.

Proposition 5.3.9 � KhsKhsϕ→ Khsϕ.

PROOF SupposingM, s � KhsKhsϕ, we will show thatM, s � Khsϕ. It follows bythe semantics that there exists a strategy σ such that all complete executions of σ from[s] are finite and [t] ⊆ JKhsϕK for all [t] ∈ CELeaf(σ, s) (∗). If [s] 6∈ dom(σ), thenCELeaf(σ, s) = {[s]}, and then it is trivial thatM, s � Khsϕ. Next we focus on thecase of [s] ∈ dom(σ).

According to the well-ordering theorem (equivalent to Axiom of Choice), we assumeCELeaf(σ, s) = {Si | i < γ} where γ is an ordinal number and γ ≥ 1. Let si be anelement in Si; then [si] = Si. Since M, si � Khsϕ for each i < γ, it follows thatfor each [si] there exists a strategy σi such that all complete executions of σi from [si]are finite and [v] ⊆ JϕK for all [v] ∈ CELeaf(σi, si) (J). Next, in order to showM, s � Khsϕ, we need to define a strategy τ . The definition consists of the followingsteps.

Step I. By induction on i, we will define a set of strategies τi where 0 ≤ i < γ. Let fi =⋃β<i τβ andDi = CEInner(σi, si)\ (dom(fi)∪{[v] ∈ CELeaf(fi, t) | [t] ∈ dom(fi)})

we define:

• τ0 = σ0|CEInner(σ0,s0);

• τi = fi ∪ (σi|Di) for i > 0.

Claim 5.3.9.1 We have the following results:

1. For each 0 ≤ i < γ, τj ⊆ τi if j < i;

2. For each 0 ≤ i < γ, τi is a partial function;

3. For each 0 ≤ i < γ, dom(τi) ∩ CELeaf(τj , t) = ∅ where t ∈ dom(τj) if j < i;

4. For each 0 ≤ i < γ, if δ = [t0] · · · is a complete execution of τi from [t] ∈ dom(τi)then |δ| = n for some n ∈ N and [tn] ⊆ JϕK;


5. For each 0 ≤ i < γ, [si] ∈ dom(τi) or [si] ⊆ JϕK.

Proof of claim 5.3.9.1:

1. It is obvious.

2. We prove it by induction on i. For the case of i = 0, it is obvious. For the caseof i = α > 0, it follows by the IH that τβ is a partial function for each β < α.Furthermore, it follows by 1. that τβ1

⊆ τβ2for all β1 < β2 < α. Thus, we have

fα =⋃β<α τβ is a partial function. Since σα is a partial function, in order to

show τα is a partial function, we only need to show that dom(fα)∩Dα = ∅. SinceDα = CEInner(σα, sα) \ dom(fα) \ {[v] ∈ CELeaf(fα, t) | t ∈ dom(fα)}, it isobvious that dom(fα) ∩Dα = ∅.

3. We prove it by induction on i. It is obvious for the case of i = 0. For the caseof i = α > 0, given j < α and t ∈ dom(τj), we need to show that dom(τα) ∩CELeaf(τj , t) = ∅. Supposing [v] ∈ CELeaf(τj , t), we will show that [v] 6∈dom(τα), namely [v] 6∈ dom(fα) ∪ Dα. Since j < α and fα =

⋃β<α τα, it

follows t ∈ dom(fα). Moreover, due toDα = CEInner(σα, sα)\dom(fα)\{[v] ∈CELeaf(fα, t) | t ∈ dom(fα)}, it follows [v] 6∈ Dα.

Next, we only need to show [v] 6∈ dom(fα). Assuming [v] ∈ dom(fα), it followsthat [v] ∈ dom(τβ) for some β < α. There are two cases: j < β or j ≥ β. If j <β, it follows by the IH that dom(τβ)∩CELeaf(τj , t) = ∅. Contradiction. If j ≥ β,it follows by 1. that τβ ⊆ τj . Due to [v] ∈ dom(τβ), it follows [v] ∈ dom(τj). Thiscontradicts with [v] ∈ CELeaf(τj , t). Thus, we have [v] 6∈ dom(fα).

4. We prove it by induction on i. For the case of i = 0, due to the fact that dom(τ0) =CEInner(σ0, s0), it follows that there is a σ0’s possible execution [s0] · · · [sm]such that m ∈ N and [sm] = [t]. Let µ = [s0] · · · [sm−1] ◦ δ. (If m = 0then µ = δ). Since δ is a complete execution of τ0 from [t], it follows that µ isa complete execution of σ0 from [s0]. It follows by (J) that µ is finite. Thus,δ = [t0] · · · [tn] for some n ∈ N. Since [tn] ∈ CELeaf(σ0, s0), it follows by (J)that [tn] ⊆ JϕK.

For the case of i = α > 0, there are two situations: [t] ∈ dom(fα) or [t] ∈ Dα.If [t] ∈ dom(fα), it follows that [t] ∈ dom(τβ) for some β < α. By 3, we havedom(τα) ∩ CELeaf(τβ , t) = ∅. Since δ is a complete execution of τα, it followsby Proposition 5.3.8 that δ is also a complete execution of τβ from [t]. It followsby the IH that |δ| = n for some n ∈ N and [tn] ⊆ JϕK.

If [t] ∈ Dα, there are two cases: there exist k < |δ| and β < α s.t. [tk] ∈ dom(τβ),or there do not exist such k and β. (Please note that |δ| > 1 due to the fact thatδ = [t0] · · · is a complete execution of τα from [t] ∈ dom(τα)).

– [tk] ∈ dom(τβ) for some k < |δ| and some β < α: It follows that µ =[tk] · · · is a complete execution of τα from [tk]. By 3. and Proposition 5.3.8,µ is a complete execution of τβ from [tk]. By IH, µ = [tk] · · · [tk+n] forsome n ∈ N and [tk+n] ⊆ JϕK. Therefore, |δ| = k + n.

– If there do not exist k < |δ| and β < α s.t. [tk] ∈ dom(τβ), it followsthat δ = [t0] · · · is a σα’s possible execution from [t]. Since [t] ∈ Dα ⊆


CEInner(σα, sα), then there is a σα’s possible execution [s0] · · · [sm] s.t.m ∈ N, [s0] = [sα] and [sm] = [t]. Let µ = [s0] · · · [sm−1] ◦ δ. (If m = 0then µ = δ). It follows that µ is σα’s possible execution from sα. By (J),all complete executions of σα from sα are finite. Thus, µ is finite. Therefore,δ = [t0] · · · [tn] for some n ∈ N.We continue to show that [tn] ⊆ JϕK. Since δ = [t0] · · · [tn] is a completeexecution of τα from t and it is also a possible execution of σα from t,there are two cases: [tn] ∈ CELeaf(fα, t

′) for some t′ ∈ dom(fα), or δis a complete execution of σα from t. If [tn] ∈ CELeaf(fα, t

′) for somet′ ∈ dom(fα), then there exists β < α s.t. [t] ∈ CELeaf(τβ , t

′) and [t′] ∈dom(β). By IH, [tn] ⊆ JϕK. If δ is a complete execution of σα from t, itfollows that µ is a complete execution of σα from [sα]. Then by (J), wehave [tn] ⊆ JϕK.

5. If [si] 6∈ dom(σi), it follows by (J) that [si] ⊆ JϕK. Otherwise, there are twocases: i = 0 or i = α > 0. If i = 0, it follows by [s0] ∈ dom(σ0) that [s0] ∈CEInner(σ0, s0). Thus, [s0] ∈ dom(τ0).

If i = α > 0 and [sα] ∈ dom(σα), we will show that if [sα] 6∈ dom(τα) then[sα] ⊆ JϕK. Firstly, we have that [si] ∈ CEInner(σα, sα). Since [sα] 6∈ dom(τα),it follows that [sα] ∈ CELeaf(fα, t) for some [t] ∈ dom(fα). It follows that thereexists β < α such that [sα] ∈ CELeaf(τβ , t) and t ∈ dom(τβ). It follows by 4.that [si] ⊆ JϕK.

�

Step II. We define τγ =⋃i<γ τi. It follows by 1. and 2. of Claim 5.3.9.1 that τγ is

indeed a partial function. Then we prove the following claim.

Claim 5.3.9.2 If δ = [t0] · · · is a complete execution of τγ from [t] ∈ dom(τγ) then|δ| = n for some n ∈ N and [tn] ⊆ JϕK

Proof of claim 5.3.9.2: Since [t] ∈ dom(τγ), it follows that [t] ∈ dom(τi) for some i < γ.It follows by 5. of Claim 5.3.9.1 that all complete executions of τi from [t] are finite.Thus, there exists µ v δ such that |µ| = n for some n ∈ N and µ is a complete executionof τi from [t]. It follows by 5. of Claim 5.3.9.1 that [tn] ⊆ JϕK.

Next, we only need to show δ = µ. If not, then δ = [t0] · · · [tn][tn+1] · · · . Wethen have that there exists j < γ such that {tk | 0 ≤ k ≤ n} ⊆ dom(τj). It cannotbe that j ≤ i. Otherwise, µ is not a complete execution of τi since τj ⊆ τi by 1.of Claim 5.3.9.1. Thus, we have j > i. Since we also have that [tn] ∈ dom(τj),[tn] ∈ CELeaf(τi, t) and t ∈ dom(τi), this is contradictory with 3. of Claim 5.3.9.1.Therefore, we have δ = µ. �

Step III. We define τ as τ = τγ ∪ (σ|C) where C = CEInner(σ, s) \ (dom(τγ)∪{[v] ∈CELeaf(τ ′, t) | [t] ∈ dom(τγ)}) and σ is the strategy mentioned at (∗). Since both τγand σ|C are partial functions, τ is also a partial function. We then prove the followingclaim.

Claim 5.3.9.3 If δ = [t0] · · · is a complete execution of τ from [t] ∈ dom(τ) then|δ| = n for some n ∈ N and [tn] ⊆ JϕK.


Proof of claim 5.3.9.3: Since dom(τ) = dom(τγ)∪C, there are two cases: [t] ∈ dom(τγ)or [t] ∈ C.

If [t] ∈ dom(τγ), it follows that CELeaf(τγ , t) ∩ C = ∅. Moreover, we haveCELeaf(τγ , t) ∩ dom(τγ) = ∅. Thus, we have CELeaf(τγ , t) ∩ dom(τ) = ∅. It fol-lows by Proposition 5.3.8 that δ is a complete execution of τγ from from [t]. It followsby Claim 5.3.9.2 |δ| = n for some n ∈ N and [tn] ⊆ JϕK

If [t] ∈ C, there are two cases: there exists k < |δ| such that [tk] ∈ dom(τγ), orthere does not exists such k. (Please note that |δ| > 1 due to the fact that δ = [t0] · · · iscomplete execution of τ from [t] ∈ dom(τ)).

• [tk] ∈ dom(τγ) for some k < |δ|: It follows that µ = [tk] · · · is a complete execu-tion of τ from [tk]. Since dom(τ)∩CELeaf(τγ , tk) = ∅. It follows by Proposition5.3.8 that µ is a complete execution of τγ from [tk]. It follows by Claim 5.3.9.2that µ = [tk] · · · [tk+n] for some n ∈ N and [tk+n] ⊆ JϕK. Therefore, |δ| = k+n.

• If there does not exist k < |δ| s.t. [tk] ∈ dom(τγ), then δ = [t0] · · · is a σ’spossible execution from [t]. Since [t] ∈ C ⊆ CEInner(σ, s), then there is aσ’s possible execution [s0] · · · [sm] s.t. m ∈ N, [s0] = [s] and [sm] = [t]. Letµ = [s0] · · · [sm−1] ◦ δ. (If m = 0 then µ = δ). It follows that µ is σ’s possibleexecution from s. By (∗), all complete executions of σ from s are finite. Thus, µis finite. Therefore, δ = [t0] · · · [tn] for some n ∈ N.

We continue to show that [tn] ⊆ JϕK. Since δ = [t0] · · · [tn] is a complete ex-ecution of τ from t and it is also a σ’s possible execution from t, there are twocases: [tn] ∈ CELeaf(τγ , t

′) for some t′ ∈ dom(τγ), or δ is a complete executionof σ from t. If [tn] ∈ CELeaf(τγ , t

′) for some [t′] ∈ dom(τγ), it follows by Claim5.3.9.2 that [tn] ⊆ JϕK. If δ is a complete execution of σ from t, it follows that µ isa complete execution of σ from [s]. It follows that [tn] = Si for some 0 ≤ i < γ.Since δ = [t0] · · · [tn] is a complete execution of τ from [t] ∈ dom(τγ), it follows[tn] 6∈ dom(τγ). We then have [tn] 6∈ dom(τi), namely Si 6∈ τi. It follows by 5. ofClaim 5.3.9.1 that Si ⊆ JϕK, namely [tn] ⊆ JϕK.

�Next, we continue to show thatM, s � Khsϕwith the assumption that [s] ∈ dom(σ).

Since [s] ∈ dom(σ), we have [s] ∈ CEInner(σ, s). There are two cases: [s] ∈ dom(τ)or not. If [s] ∈ dom(τ), it follows by claim 5.3.9.3 thatM, s � Khsϕ. If [s] 6∈ dom(τ),due to [s] ∈ CEInner(σ, s), it follows that [s] ∈ CELeaf(τγ , t) for some [t] ∈ dom(τγ).It follows by Claim 5.3.9.2 that [s] ⊆ JϕK. It follows thatM, s � Kϕ. It is obvious thatM, s � Khsϕ. 2

Now we are ready to prove the soundness, which can be proven by induction on thelength of the proof.

Theorem 5.3.10 (Soundness) If ` ϕ then � ϕ.

5.4 Completeness and decidabilityLet Φ be a set of formulas such that it is closed under subformula and ∼ϕ ∈ Φ foreach ϕ ∈ Φ, where ∼ϕ = χ if ϕ = ¬χ, otherwise, ∼ϕ = ¬ϕ. It is obvious that Φ is

5.4. COMPLETENESS AND DECIDABILITY 99

countable since the whole language itself is countable. Given a set of formulas ∆, let

∆|K = {Kϕ | Kϕ ∈ ∆}∆|¬K = {¬Kϕ | ¬Kϕ ∈ ∆}∆|Khs = {Khsϕ | Khsϕ ∈ ∆}

∆|¬Khs = {¬Khsϕ | ¬Khsϕ ∈ ∆}

Below we define the closure of Φ, and use it to build a canonical model w.r.t. Φ. Wewill show that when Φ is finite then we can build a finite model.

Definition 5.4.1 cl(Φ) is the smallest set such that:

• Φ ⊆ cl(Φ);

• if ϕ ∈ Φ then Kϕ,¬Kϕ ∈ cl(Φ).

Definition 5.4.2 (Atom) Let cl(Φ) = {ψi | i ∈ N}. The formula set ∆ = {Yi | i ∈ N}is an atom of cl(Φ) if

• Yi = ψi or Yi = ∼ψi for all ψi ∈ cl(Φ);

• ∆ is consistent.

An atom of Φ is also called an maximally consistent subset of Φ. Note that if Φ isthe whole language then an atom is simply a maximally consistent set. By a standardinductive construction, we can obtain the Lindenbaum-like result in our setting:

Proposition 5.4.3 Let Γ be a consistent subset of cl(Φ) and ϕ ∈ cl(Φ). If Γ ∪ {±ϕ} isconsistent then there is an atom ∆′ of cl(Φ) such that (Γ∪{±ϕ}) ⊆ ∆′, where±ϕ = ϕor ±ϕ = ∼ϕ.

PROOF Let ψ1, · · · , ψn, · · · be all the formulas in cl(Φ) \ Γ \ {ϕ}. We define Γi asbelow.

Γ0 = Γ ∪ {±ϕ}

Γi+1 =

{Γi ∪ {ψi} if Γi ∪ {ψi} is consistentΓi ∪ {∼ψi} otherwise

Firstly, we will show that Γi is consistent for all i ∈ N. Since Γ0 is consistent, weonly need to show that if Γi is consistent then Γi+1 is consistent, i.e. either Γi ∪ {ψi} orΓi∪{∼ψi} is consistent. Assuming both Γi∪{ψi} and Γi∪{¬ψi} are not consistent, itfollows that Γi ` ¬ψi and Γi ` ψi. That is, Γi is inconsistent. Contradiction. Therefore,either Γi ∪ {ψi} or Γi ∪ {∼ψi} is consistent.

Let ∆′ =⋃i∈N Γi. It follows that ∆′ is consistent. It is obvious that either ψ ∈ ∆′

or ∼ψ ∈ ∆′ for all ψ ∈ cl(Φ). Therefore, ∆′ is an atom of cl(Φ). 2

Next, we are going to build a canonical model w.r.t. Φ.

Definition 5.4.4 Given a subformula-closed Φ, the canonical modelMΦ = 〈W,Act,∼, { x−→| x ∈ Act}, V 〉 is defined as:


• W = {∆ | ∆ is an atom of cl(Φ)};

• Act = {ϕ | Khsϕ ∈ Φ};

• ∆ ∼ ∆′ iff ∆|K = ∆′|K;

• for each ϕ ∈ Act, ∆ϕ−→ ∆′ iff Khsϕ,¬Kϕ ∈ ∆ and Kϕ ∈ ∆′;

• for each p ∈ Φ, p ∈ V (∆) iff p ∈ ∆.

Note that we use formulas that the agent knows how to achieve as the action labels,and we introduce an action transition if it is necessary, i.e., Khsϕ but ¬Kϕ (the emptystrategy does not work). Requiring Kϕ ∈ ∆′ is to reflect the first condition in thesemantics of Khs. Using NECK, DISTK and Proposition 5.4.3, it is routine to show theexistence lemma for K:

Proposition 5.4.5 Let ∆ be a state in MΦ, and Kϕ ∈ cl(Φ). If Kϕ 6∈ ∆ then thereexists ∆′ ∈ [∆] such that ∼ϕ ∈ ∆′.

PROOF Let Γ = ∆|K∪∆|¬K∪{∼ϕ}. Γ is consistent. If not, there areKϕi, · · · ,Kϕnand ¬Kψ1, · · · ,¬Kψm in ∆ such that

` (Kϕ1 ∧ · · · ∧ Kϕn ∧ ¬Kψ1 ∧ · · · ∧ ¬Kψm)→ ϕ.

Following by NECK and DISTK, we have

` K(Kϕi ∧ · · · ∧ Kϕn ∧ ¬Kψ1 ∧ · · · ∧ ¬Kψm)→ Kϕ.

Since the epistemic operator K is distributive over ∧ and ` KKϕi ↔ Kϕi for all 1 ≤i ≤ n and ` K¬Kψi ↔ ¬Kψi for all 1 ≤ i ≤ m, we have

` (Kϕi ∧ · · · ∧ Kϕn ∧ ¬Kψ1 ∧ · · · ∧ ¬Kψm)→ Kϕ.

Since Kϕi, · · · ,Kϕn and ¬Kψ1, · · · ,¬Kψm are all in ∆ and Kϕ ∈ cl(Φ), it followsthat Kϕ ∈ ∆. It is contradictory with the assumption that Kϕ 6∈ ∆. Therefore, Γ isconsistent. It follows by Proposition 5.4.3 that there exists an atom ∆′ of cl(Φ) suchthat Γ ⊆ ∆′. Since (∆|K ∪∆|¬K) ⊆ ∆′, we have ∆′ ∼ ∆, that is, ∆′ ∈ [∆]. 2

Proposition 5.4.6 Let ∆ and ∆′ be two states in MΦ such that ∆ ∼ ∆′. We have∆|Khs = ∆′|Khs .

PROOF For each Khsϕ ∈ ∆, by Definition 5.4.1, Khsϕ ∈ Φ, and then KKhsϕ ∈cl(Φ). For each Khsϕ ∈ ∆, by Axiom AxKhtoKKh, we have KKhsϕ ∈ ∆. Since ∆ ∼∆′, then KKhsϕ ∈ ∆′, and by Axiom T, Khsϕ ∈ ∆′. So we showed that Khsϕ ∈ ∆implies Khsϕ ∈ ∆′. Similarly we can prove Khsϕ ∈ ∆′ implies Khsϕ ∈ ∆. Hence,∆|Khs = ∆′|Khs . 2

The following is a crucial observation for proofs.

Proposition 5.4.7 Let ∆ be a state in MΦ and ψ ∈ Act be executable at [∆]. If

Khsϕ ∈ ∆′ for all ∆′ with [∆]ψ−→ [∆′] then Khsϕ ∈ ∆.

5.4. COMPLETENESS AND DECIDABILITY 101

PROOF First, we show that Kψ is not consistent with ¬Khsϕ. It is obvious thatKhsϕ ∈ cl(Φ). Since ψ is executable at [∆], there are atoms Γ1 and Γ2 s.t. Γ1

ψ−→ Γ2.Then Kψ ∈ Γ2. Assuming that Kψ is consistent with ¬Khsϕ, by Proposition 5.4.3there exists an atom Γ of cl(Φ) s.t. {Kψ,¬Khsϕ} ⊆ Γ. Since ψ ∈ Act is executable at

[∆], then by definition ofψ−→,∼ and Proposition 5.4.6, Khsψ,¬Kψ ∈ ∆. It follows that

∆ψ−→ Γ, then [∆]

ψ−→ [Γ]. This is contradictory with the assumption that Khsϕ ∈ ∆′

for all ∆′ with [∆]ψ−→ [∆′]. Then Kψ is not consistent with ¬Khsϕ. Hence, ` Kψ →

Khsϕ.Since ` Kψ → Khsϕ, it follows by Rule MONOKh and Axiom AxKhtoKhK that

` Khsψ → KhsKhsϕ. Moreover, it follows by Axiom AxKhKh that ` Khsψ → Khsϕ.

Since ψ is executable at [∆], it follows by the definition ofψ−→ and Proposition 5.4.6 that

Khsψ ∈ ∆. Therefore, we have Khsϕ ∈ ∆. 2

Lemma 5.4.8 For each ϕ ∈ cl(Φ),MΦ,∆ � ϕ iff ϕ ∈ ∆.

PROOF We prove it by induction on ϕ. We only focus on the cases of Kϕ and Khsϕ;the other cases are straightforward.

• Case of Kϕ. IfMΦ,∆ � Kϕ, we will show Kϕ ∈ ∆. Assuming Kϕ 6∈ ∆, itfollows by Proposition 5.4.5 that there exists ∆′ ∈ [∆] such that ¬ϕ ∈ ∆′. Itfollows by IH that MΦ,∆′ � ¬ϕ. It is contradictory with MΦ,∆ � Kϕ and∆′ ∈ [∆]. Thus we have Kϕ ∈ ∆.

If Kϕ ∈ ∆, we will show MΦ,∆ � Kϕ. Assuming MΦ,∆ 2 Kϕ, it followsthat there is ∆′ ∈ [∆] such thatMΦ,∆′ � ¬ϕ. It follows by IH that ¬ϕ ∈ ∆′. Itmust be the case of ¬Kϕ ∈ ∆′ because Kϕ ∈ ∆′ implies ϕ ∈ ∆′. It follows that¬Kϕ ∈ ∆. Contradiction. Thus we haveMΦ,∆ � Kϕ.

• Case of Khsϕ. Note that if Khsϕ ∈ cl(Φ) then ϕ ∈ cl(Φ) thus by Definition5.4.1 Kϕ ∈ cl(Φ).

Right to Left: If Khsϕ ∈ ∆, we will showMΦ,∆ � Khsϕ. Firstly, there aretwo cases: Kϕ ∈ ∆ or Kϕ 6∈ ∆. If Kϕ ∈ ∆, then Kϕ,ϕ ∈ ∆′ for all ∆′ ∈ [∆].Since ϕ ∈ Φ, it follows by IH that MΦ,∆′ � ϕ for all ∆′ ∈ [∆]. Therefore,MΦ,∆ � Kϕ. It follows by Axiom AxKtoKh and the soundness of SKH thatMΦ,∆ � Khsϕ. If ¬Kϕ ∈ ∆, we first show that Kϕ is consistent. If not,namely ` Kϕ → ⊥, it follows by Rule MONOKh that ` KhsKϕ → Khs⊥. Itfollows by Axiom AxKhbot that ` KhsKϕ → ⊥. Since Khsϕ ∈ ∆, it followsby Axiom AxKhtoKhK that ∆ ` ⊥, which is contradictory with the fact that ∆ isconsistent. Therefore, Kϕ is consistent.

By Proposition 5.4.3 there exists an atom ∆′ s.t. Kϕ ∈ ∆′. Note that ϕ ∈ Act.Thus, we have ∆

ϕ−→ ∆′, then [∆]ϕ−→ [∆′]. Let [∆′′] be an equivalence class s.t.

[∆]ϕ−→ [∆′′], which indicates Γ

ϕ−→ Γ′′ for some Γ ∈ [∆] and Γ′′ ∈ [∆′′]. Bydefinition of

ϕ−→ and ∼ we get Kϕ ∈ Θ for all Θ ∈ [∆′′]. By IH,MΦ,Θ � ϕ forall Θ ∈ [∆′′], namely [∆′′] ⊆ JϕK. Moreover,

ϕ−→ is not a loop on [∆] because¬Kϕ ∈ ∆. Thus, the partial function σ = {[∆] 7→ ϕ} is a strategy s.t. all


its complete executions starting from [∆] are finite and [∆′′] ⊆ JϕK for each[∆′′] ∈ CELeaf(σ,∆). Then,MΦ,∆ � Khsϕ.

Left to Right: Suppose MΦ,∆ � Khsϕ, we will show Khsϕ ∈ ∆. By thesemantics, there exists a strategy σ s.t. all complete executions of σ starting from[∆] are finite and [Γ] ⊆ JϕK for all [Γ] ∈ CELeaf(σ,∆). By IH, ϕ ∈ Γ′ for allΓ′ ∈ [Γ] and [Γ] ∈ CELeaf(σ,∆). By Proposition 5.4.5, we get Kϕ ∈ Γ for all[Γ] ∈ CELeaf(σ,∆). By Axiom AxKtoKh and Proposition 5.4.6, Khsϕ ∈ Γ forall [Γ] ∈ CELeaf(σ,∆).

If [∆] 6∈ dom(σ), it is obvious that Khsϕ ∈ ∆ because [∆] ∈ CELeaf(σ,∆).Next, we consider the case of [∆] ∈ dom(σ), then [∆] ∈ CEInner(σ,∆). In orderto show Khsϕ ∈ ∆, we will show a more strong result that Khsϕ ∈ ∆′ for all[∆′] ∈ CEInner(σ,∆). Firstly, we show the following claim:

Claim 5.4.8.1 If there exists [∆′] ∈ CEInner(σ,∆) such that ¬Khsϕ ∈ ∆′ thenthere exists an infinite execution of σ starting from [∆].

Proof of claim 5.4.8.1: Let X be the set {[Θ] ∈ CEInner(σ,∆) | ¬Khsϕ ∈ Θ}.It follows that [∆′] ∈ X and X ⊆ dom(σ). We define a binary relation R on X as

R = {([Θ], [Θ′]) | [Θ]σ([Θ])−−−−→ [Θ′]}.

For each [Θ] ∈ X , we have that σ([Θ]) is executable at [Θ]. Since ¬Khsϕ ∈ Θ,

by Proposition 5.4.7 there exists an atom Θ′ s.t. [Θ]σ([Θ])−−−−→ [Θ′] and ¬Khsϕ ∈

Θ′. Since Khsϕ ∈ Γ for all [Γ] ∈ CELeaf(σ,∆) and [Θ] ∈ CEInner(σ,∆),wehave [Θ′] ∈ CEInner(σ,∆). Then [Θ′] ∈ X . Therefore, R is an entire binary re-lation onX , namely for each [Θ] ∈ X there is [Θ′] ∈ X such that ([Θ], [Θ′]) ∈ R.Then by Axiom of Dependent Choice there exists an infinite sequence [Θ0][Θ1] · · ·s.t. ([Θn], [Θn+1]) ∈ R for all n ∈ N.

From the definition of R, [Θ0][Θ1] · · · is a complete execution of σ starting from[Θ0]. Since [Θ0] ∈ CEInner(σ,∆) and all complete execution of σ from [∆]are finite, there is a possible execution [∆0] · · · [∆j ] for some j ∈ N s.t. [∆0] =[∆] and [∆j ] = [Θ0]. Therefore, [∆0] · · · [∆j ][Θ1] · · · is an infinite completeexecution of σ from [∆]. �

Therefore, we have Khsϕ ∈ ∆′ for all [∆′] ∈ CEInner(σ, s). Otherwise, byclaim 5.4.8.1 there is an infinite complete execution given σ from [∆]. This iscontradictory with the fact that if all complete execution of σ from [∆] are finite,then Khsϕ ∈ ∆′ for all [∆′] ∈ CEInner(σ, s). Since [∆] ∈ dom(σ), we get[∆] ∈ CEInner(σ,∆). Then Khsϕ ∈ ∆.

2

Please note that in the proofs above it does not matter whether the domain ofMΦ isfinite or not. Therefore, let Φ be the set of all formulas, then each maximally consistentset ∆ is actually an atom which satisfies all its formulas inMΦ, according to the abovetruth lemma. Completeness then follows immediately.

Theorem 5.4.9 SKH is strongly complete.

5.5. CONCLUSION 103

Note that if Φ is the set of all subformulas of a given formula ϕ, then cl(Φ) is stillfinite. Due to the soundness of SKH and Proposition 5.4.3, a satisfiable formula ϕ mustbe consistent thus appearing in some atom, and thus ϕ is satisfiable in MΦ. It is nothard to see that |MΦ| ≤ 22|ϕ| where 2|ϕ| is the bound on the size of cl(Φ). This givesus a small model property of our logic, so decidability follows.

Proposition 5.4.10 (Small model property) If ϕ0 is satisfiable then it is satisfiable ina model with at most 2k states where k = |cl(Φ)| and Φ is the subformula closuregenerated by ϕ0.

Theorem 5.4.11 SKH is decidable.

PROOF With the small model property, this can be proved by a standard argumentpresented in Blackburn et al. (2001). 2

5.5 ConclusionIn this chapter, we propose an epistemic logic of both (goal-directed) knowing how andknowing that, and capture the interaction of the two. We have shown that this logic issound and complete, as well as decidable. We hope that the axioms are illuminatingtowards a better understanding of knowing how.

Note that we do not impose any special properties between the interaction of a−→ and∼ in the models so far. In the future, it would be interesting to see whether assumingproperties of perfect recall (K[a]ϕ→ [a]Kϕ) and/or no learning ([a]Kϕ→ K[a]ϕ) (cf.e.g., Fagin et al. (1995); Wang and Li (2012)) can change the logic or not.

Our notion of knowing how is relatively strong, particularly evidenced by the axiomAxKhtoKhK : Khsϕ → KhsKϕ, which is due to the first condition of our semanticsfor Khs, inspired by planning with uncertainty. We believe that this is reasonable forthe scenarios where the agent has perfect recall (or, say, never forgets), which is usuallyassumed implicitly in the discussions on planning (cf. Yu et al. (2016)). However, fora forgetful agent it may not be intuitive anymore, e.g., I know how to get drunk whensober but I may not know how to get to the state that I know I am drunk, assuming drunkpeople do not know they are drunk. Another obvious next step is to consider knowinghow in multi-agent settings.

Chapter 6

Privacy in arrow update logic1

6.1 IntroductionInformation plays an important role in several fields of scientific research, such as philo-sophy, game theory, and artificial intelligence. In this chapter, the notion of informationis confined to the kind of information in one’s mind, which can also be called belief orknowledge. In real-life contexts, information is often communicated. This leads to achange of agents’ information without any change in the bare facts of the world. Onekind of these communicative events is announcement. This chapter will focus on reas-oning about information change due to announcements.

In a multi-agent system, there are at least three types of announcements: public,private and semi-private (cf. e.g., Baltag and Moss (2004)). Imagine a scenario wheretwo agents a and b are in a room, and in front of them, there is a coin in a closedbox. Neither of them knows whether the coin is lying heads up or tails up. A publicannouncement occurs when the box is opened for both to see. This changes not only theagent’s information about the bare facts (basic information) but also agents’ informationabout each other (higher-order information). When a secretly opens the box and b doesnot suspect that anything happened, the effect is the same as the effect that the truth isprivately announced to a. This changes only a’s basic and higher-order information.A semi-private announcement occurs when a opens the box and b observes a’s actionbut b does not see the coin. This changes a’s basic information and the higher-orderinformation of both.

There are a great number of modal logic theories which formalize reasoning aboutinformation change. Plaza’s logic (see Plaza (1989, 2007)) is concerned with reasoningabout information change due to public announcement, in which a public announce-ment of a statement eliminates all epistemic possibilities in which the statement doesnot hold. Gerbrandy and Groeneveld develop a more general dynamic epistemic logicin Gerbrandy and Groeneveld (1997), which formalizes reasoning about informationchange produced by public and private announcements. The dynamic epistemic logicwith action models (DEL), due to Baltag et al. (1998) (see also Baltag and Moss (2004);van Ditmarsch et al. (2007)), is a powerful tool to formalize reasoning about informa-tion change. An action model is a Kripke model-like object that describes agents’ beliefs

1This is based on a short paper presented on the conference of Advances in Modal Logic 2014.

105

106 CHAPTER 6. PRIVACY IN ARROW UPDATE LOGIC

about incoming information. All public, private and semi-private announcement can bemodeled in DEL.

Kooi and Renne’s Arrow Update Logic (AUL) (see Kooi and Renne (2011a)) canalso formalize reasoning about information change produced by public and semi-privateannouncement. Different from other logical frameworks, AUL models informationchange by updating the epistemic access relation, without changing the domain of themodel. This makes AUL very suitable for modeling information change on knowledge-how. Recall Example 5.1.1 in Chapter 5. If a new scientific discovery announces thatthe pill will certainly cure the pain no matter whether there is an allergy or not. In AUL,this announcement is formalized as removing the reflexive arrow on s4. The doctor thenwill know that he can treat the patient by pill without any surgery. However, in AUL,it is common knowledge among agents how each will process incoming information.This assumption of common update policy is dropped in its extension, Generalized Ar-row Update Logic (see Kooi and Renne (2011b)) (GAUL), which can capture the sameinformation change that can be modeled in DEL.

Although DEL and GAUL are much more expressive than AUL, the great express-ive power does not come for free. Their update operators are much more complex thanthe update operator of AUL. This chapter presents a variation of AUL, Private Ar-row Update Logic (PAUL), which also drops the common update-policy assumption ofAUL (so that private announcement can be expressed) and keeps the update operatoras simple and intuitive as AUL. This logic framework is also inspired by the context-indexed semantics developed in Wang (2011) and Wang and Cao (2013). As we willsee, PAUL can formalize reasoning about information change due to public, private andsemi-private announcement.

The rest of the chapter is organized as follows: Section 6.2 proposes the languageand semantics of PAUL, and works out some examples; Section 6.3 presents the tableaucalculus for PAUL and show soundness and completeness; Section 6.4 shows PAUL isdecidable; Section 6.5 concludes with some directions for further research.

6.2 The logic PAUL

6.2.1 Syntax and semanticsIn this section, we introduce the language of this logic. This language differs from thelanguage of AUL in the sense that each update information is only visible to an agentgroup.

Definition 6.2.1 (PAUL Language) Let Agt be a nonempty finite set of agents, and letP be a countable set of atomic propositions. The PAUL language is generated by thefollowing BNF:

ϕ ::= > | p | ¬ϕ | (ϕ ∧ ϕ) | [U,G]ϕ | 2aϕU ::= {(ϕ, a, ϕ)} | {(ϕ, a, ϕ)} ∪ U

where p ∈ P, a ∈ Agt and G ⊆ Agt is a superset of the set of agents occurring in U .

We will often omit parentheses around expressions when doing so ought not causeconfusion. The expression ϕ is called a PAUL-formula (or just formula). The expression

6.2. THE LOGIC PAUL 107

[U,G] occurring in a formula is called a PAUL-update (or just update), which consistsof an update core U and an agent group G to which the update is visible. We let LPAULdenote the set of formulas and updates. Given formulas ϕ and ψ and an agent a ∈ Agt,the syntactic object (ϕ, a, ψ) ∈ U is called an a-arrow specification. As usual, we usethe following abbreviations: ⊥ := ¬>, ϕ ∨ ψ := ¬(¬ϕ ∧ ¬ψ), ϕ → ψ := ¬ϕ ∨ ψ,3aϕ := ¬2a¬ϕ.

Intuitively, the formula 2aϕ expresses that agent a believes ϕ. The formula [U,G]ϕexpresses that ϕ holds after the arrow update [U,G]. The update [U,G] means that theupdate is visible only to agents in G. Please note that the update in AUL has only onepart, that is [U ], which is visible for all agents. Therefore, the update [U ] in AUL is thesame as the update [U,Agt] here.

Definition 6.2.2 (Kripke Model) A Kripke modelM is a tuple 〈WM, RM, VM〉, con-sisting of a nonempty set WM of worlds, a function RM assigning each agent a ∈ Agta binary relation RMa ⊆WM×WM (RMa can also be seen as a function from WM to2WM

), and a function VM : P → P(WM). A pointed Kripke model is a pair (M, s)consisting of a Kripke modelM and a world s ∈ WM; the world s is called the pointof (M, s).

Given a Kripke modelM, we call WM the domain of the model. For each agenta ∈ Agt, we call RMa a’s possibility relation since it defines what worlds agent a con-siders possible in any given world. Please note that updates considered in this chapter donot change any bare facts but only the agent’s beliefs. Therefore, when an update hap-pens, we do not have to change the domain of the model but only change the possibilityrelations (or ‘arrows’).

Definition 6.2.3 Let ρ = [U1, G1] · · · [Un, Gn] be an update sequence (or just sequence),and ρ = ε if n = 0. The update sequence ρ|a is defined by the following induction on n.

ε|a = ε

(ρ[U,G])|a =

{ρ|a a 6∈ Gρ|a[U,G] a ∈ G

The sequence ρ|a means the updates visible to the agent a.

Definition 6.2.4 (PAUL Semantics) Given a pointed Kripke model (M, s), an updatesequence ρ and a formula ϕ, we writeM, s �ρ ϕ to mean that ϕ is true atM, s afterupdates ρ, and we write M, s 2ρ ϕ for the negation of M, s �ρ ϕ. The relation(notation: �ρ) is defined by the following induction on formula construction.

M, s �ρ >M, s �ρ p iff s ∈ V (p)M, s �ρ ¬ϕ iff M, s 2ρ ϕM, s �ρ (ϕ ∧ ψ) iff M, s �ρ ϕ andM, s �ρ ψM, s �ρ [U,G]ϕ iff M, s �ρ[U,G] ϕM, s �ρ 2aϕ iff ∀t ∈WM : (s, t) ∈ RMa ∗ (ρ|a) impliesM, t �ρ|a ϕ

RMa ∗ εdef= RMa

RMa ∗ (ρ′[U,G])def= {(s, t) ∈ RMa ∗ ρ′ | there exists (ϕ, a, ψ) ∈ U :

M, s �ρ′ ϕ andM, t �ρ′ ψ}


We also writeM, s �ε ϕ asM, s � ϕ. To say that a formula ϕ is valid, written as � ϕ,means that M, s � ϕ for each pointed Kripke model (M, s). The negation of � ϕ iswritten as 2 ϕ. To say that a formula ϕ is satisfiable means there exists a pointed model(M, s) such thatM, s � ϕ.

The binary relation RMa ∗ ρ|a is a’s possibility relation after the announcement se-quence ρ. Compared to product semantics, such as in DEL and GAUL, the context-indexed semantics here has the following characteristics. Firstly, we know that updateschange only agents’ beliefs but not bare facts. This feature is more clear in this se-mantics because only the possibility relation is updated when 2-formulas are evaluated.Moreover, product semantics always update the domain of the model when an updatehappens, which means that the size of the model may grow rapidly along with the lengthof update sequence ρ, but this is not the case here. This is because when 2a-formulasare evaluated, we do not change the domain of the model but only update a’s possibilityrelation with respect to the update sequence visible to a, namely ρ|a.

Kooi and Renne (2011a) present an axiomatic theory for AUL, in which the mostimportant axiom states that an agent’s belief after an update can be reduced to his (her)belief before the update. The following proposition shows that the PAUL version of thisreduction axiom also holds.

Proposition 6.2.5 � [U,G]2aϕ↔∧

(ψ,a,χ)∈U (ψ → 2a(χ→ [U,G]ϕ)) if a ∈ G.

PROOF Let (M, s) be a pointed Kripke model. Firstly, we show that if M, s �[U,G]2aϕ then M, s �

∧(ψ,a,χ)∈U (ψ → 2a(χ → [U,G]ϕ)). In order to show that

M, s �∧

(ψ,a,χ)∈U (ψ → 2a(χ → [U,G]ϕ)), we only need to show that M, t �

[U,G]ϕ if there are (ψ, a, χ) ∈ U and t ∈ RMa (s) such thatM, s � ψ andM, t � χ.Following by the assumption of M, s � [U,G]2aϕ, we then have M, t �[U,G] ϕ.Therefore, we haveM, t � [U,G]ϕ.

Secondly, we show that if M, s �∧

(ψ,a,χ)∈U (ψ → 2a(χ → [U,G]ϕ)) thenM, s � [U,G]2aϕ. Assume that M, s 2 [U,G]2aϕ. It follows that there existst ∈WM such that (s, t) ∈ RMa ∗ [U,G] andM, t 2[U,G] ϕ. Since (s, t) ∈ RMa ∗ [U,G],it follows that (s, t) ∈ RMa and there exists (ψ, a, χ) ∈ U such that M, s � ψand M, t � χ. Moreover, since M, s �

∧(ψ,a,χ)∈U (ψ → 2a(χ → [U,G]ϕ)),

we then have M, t � [U,G]ϕ, namely M, t �[U,G] ϕ. This is in contradiction withM, t 2[U,G] ϕ. Therefore, we have if M, s �

∧(ψ,a,χ)∈U (ψ → 2a(χ → [U,G]ϕ))

thenM, s � [U,G]2aϕ. 2

The following proposition shows that if an update is not visible for an agent, thenher belief after the update is the same as her belief before the update.

Proposition 6.2.6 � [U,G]2aϕ↔ 2aϕ if a 6∈ G.

PROOF We have the following:

M, s � [U,G]2aϕ

⇔M, s �[U,G] 2aϕ

⇔ for all (s, t) ∈ Ra ∗ ([U,G]|a) :M, t �[U,G]|a ϕ

⇔ for all (s, t) ∈ Ra :M, t � ϕ due to [U,G]|a = ε

6.2. THE LOGIC PAUL 109

⇔M, s � 2aϕ

2

6.2.2 Announcements in PAULIn this section, we will show how public, private and semi-private announcement arecaptured in PAUL. Let us consider the following scenario of a concealed coin, which isa tweaked version of an example used in Baltag and Moss (2004).

Example 6.2.7 (Basic scenario) Two agents a and b enter a large room which containsa remote-controlled mechanical coin flipper. One of them presses a button, and the coinspins through the air and lands in a small box on a table with heads or tails lying up.The box is closed and they are too far away to see the coin.

Hp

T¬p

a, ba, b a, b

Figure 6.1: the basic modelM

Just as in Baltag and Moss (2004), this can be modelled by a Kripke model M,which is pictured in Figure 6.1. The possible world H ∈ WM represents the possiblefact that the coin is lying heads up, and T ∈WM represents tails up. The proposition pmeans that the coin is lying heads up, so it is only true in H . The possibility relations ofa and b indicate that both of them do not know whether the coin is lying heads or tailsup.

Example 6.2.8 (Public announcement) After the basic scenario, one of them opensthe box and puts the coin on the table for both to see. The effect of this event on theirbeliefs is the same as that of a truthful statement publicly announced to them that thecoin is lying heads or tails up.

Hp

T¬p

a, b a, b

Figure 6.2: RMa ∗ ([U1, G1]|a) and RMb ∗ ([U1, G1]|b)

After the truthful announcement that the coin is lying heads or tails up, both of themthink there is only one possibility in any given world. Thus only their epistemic accessesto any given world should be preserved. This announcement is visible for both, since it ispublicly announced. Therefore, this public and truthful announcement can be capturedby the update [U1, G1] where U1 = {(p, a, p), (¬p, a,¬p), (p, b, p), (¬p, b,¬p)} andG1 = {a, b}. After the update [U1, G1], the possibility relations of a and b turn out


to be as shown in Figure 6.2. Moreover, since the update is visible to both of them,a’s possibility relation in b’s opinion is the same as a’s real possibility relation, namelyRMa ∗ ([U1, G1]|b|a) = RMa ∗ ([U1, G1]|a). If H is the actual world, after this publicand truthful announcement, both of them believe that the coin is lying heads up and thatthe other also believes so. We can check the following formulas.

• M, H � [U1, G1](2ap ∧2bp)

• M, H � [U1, G1](2a2bp ∧2b2ap)

Example 6.2.9 (Private announcement) After the basic scenario of Example 6.2.7, asecretly opens the box herself. Agent b does not observe that a opens the box, and indeeda is certain that b does not suspect that anything happened. The effect of this on theirbeliefs is the same as secretly and privately announcing the truth to a.

H Ta a

(a) RMa ∗ ([U2, G2]|a)

H Tb

b b

(b) RMb ∗ ([U2, G2]|b)

H Ta

a a

(c) RMa ∗ ([U2, G2]|b|a)

Figure 6.3: The possibility relations after the update [U2, G2]

After the truth is announced to a, she thinks that there is only one possibility fromany given world. Thus a’s epistemic accesses to the world itself should be preservedafter the announcement. Since the announcement is secret and private, it is visible onlyto a. This private and truthful announcement can be captured by the update [U2, G2]which is defined as U2 = {(p, a, p), (¬p, a,¬p)} and G2 = {a}.

After the update [U2, G2], a’s possibility relation (Figure 6.3a) will change, but b’spossibility relation (Figure 6.3b) will remain the same as before. Moreover, since bdoes not suspect that anything happened, a’s possibility relation in b’s opinion (Figure6.3c) does not change at all after the announcement. After this private and truthfulannouncement to a, only a believes the truth while nothing happened to b’s beliefs. Wecan check the following formulas.

• M, H � [U2, G2](2ap ∧ ¬2bp)

• M, H � [U2, G2]¬2b(2ap ∨2a¬p)

Example 6.2.10 (Semi-private announcement) After the basic scenario of Example6.2.7, agent a opens the box herself. Agent b observes that a opens the box but does notsee the coin. Agent a also does not disclose whether it is heads or tails. The effect ofthis on their beliefs is the same as a semi-private announcement to a, which means thatthe truth is announced to a only, but b notices what happened.

6.3. TABLEAU METHOD 111

H Ta a

(a) RMa ∗ ([U3, G3]|a)

H Tb

b b

(b) RMb ∗ ([U3, G3]|b)

H Ta a

(c) RMa ∗ ([U3, G3]|b|a)

Figure 6.4: The possibility relations after the update [U3, G3]

Since the truth is announced to a, she will know the truth after the announcement.The situation of b is a little complex. Firstly, b’s possibility relation will remain thesame as before since b is not announced the truth. Secondly, a’s possibility relationin b’s opinion will change since he observed that a is announced the truth. This semi-private announcement can be captured by the update [U3, G3] which is defined as U3 ={(p, a, p), (¬p, a,¬p), (>, b,>)} and G3 = {a, b}.

Agent a’s possibility relation (Figure 6.4a) will change to the reflexive relation afterthe update. Since the announcement is not disclosed to b, b’s possibility relation (Figure6.4b) will not change after the update. However, after the update, a’s possibility relationin b’s opinion (Figure 6.4c) will change because b observes the announcement. Afterthe announcement, b believes that a believes the truth, but b still could not distinguishbetween the fact that a believes p and the fact that a believes ¬p. We can check thefollowing formulas.

• M, H � [U3, G3](2ap ∧ ¬2bp)

• M, H � [U3, G3]2b(2ap ∨2a¬p)

6.3 Tableau methodThis section will present a proof method for PAUL that uses analytic tableaux. As atypical tableau method, given a formula ϕ, it systematically tries to construct a modelfor it. When it fails, ϕ is inconsistent and thus its negation is valid.

The tableau method in this chapter will manipulate tableau terms, which consist oftwo parts: the first part is an update sequence; the second part is a formula, or a checkmark, or a cross mark. In addition, each term is prefixed by a label which stands fora possible world in the model under construction. A similar method is used in Fitting(1983); Massacci (2000); Balbiani et al. (2010); Aucher and Schwarzentruber (2013).

Definition 6.3.1 (Term) A term (or tableau term) is a pair (ρ, x) where ρ is a finiteupdate sequence [U1, G1] · · · [Un, Gn] (ρ = ε if n = 0) and x is a check markX, a crossmark X or a formula ϕ ∈ LPAUL.

Definition 6.3.2 (Length of term) The length of a formula is defined as follows:

l(p) = 1

l(¬ϕ) = l(ϕ) + 1


l(ϕ ∧ ψ) = l(ϕ) + l(ψ) + 1

l(2aϕ) = l(ϕ) + 1

l([U,G]ϕ) = l(U) + |G|+ l(ϕ) + 1

l(U) =∑

(ψ,a,χ)∈U(l(ψ) + l(χ))

The length of an update sequence is defined as follows:

l(ε) = 0; l(ρ[U,G]) = l(ρ) + l(U) + |G|.

The length of a term is defined as follows:

l(ρ,X) = l(ρ,X) = l(ρ); l(ρ, ϕ) = l(ρ) + l(ϕ).

Please note that the length of the term (ε, ϕ) is the same as the length of ϕ.

Definition 6.3.3 (Labelled term) A label is an alternating sequence of integers andagents, namely σ ::= n | σan where n ∈ N and a ∈ Agt. A labelled term is apair consisting of a label and a term, and we also write it as a triple 〈σ, ρ, x〉.

Each label represents a possible world in a Kripke model. Moreover, a label σanoccurring on a branch of a tableau also indicates that there is an a-arrow from the pos-sible world σ to the possible world σan. A labelled term 〈σ, ρ, ϕ〉 means ϕ is true atthe possible world σ after the announcements ρ. A labelled term 〈σan, ρ,X〉 means thea-arrow from σ to σan is preserved after the update sequence ρ. Conversely, a labelledterm 〈σan, ρ,X〉 means the a-arrow is not preserved.

Definition 6.3.4 (Branch) A branch is a set of labelled terms. A label σ is new in abranch b if there is no term in b that is labelled with σ.

Definition 6.3.5 (Tableau) A tableau forϕ0 ∈ L is a set of branches inductively definedas follows.

• T = {{(0, ε, ϕ0)}}. This is called the initial tableau for ϕ0.

• T = (T ′ \ {b}) ∪ B, where T ′ is a tableau for ϕ0 that contains the branch band B is a finite set of branches generated by applying one of the tableau rulesin Table 6.1 on b. For instance, let b = {〈σ, ρ,¬(ϕ ∧ ψ)〉} then B = {b ∪{〈σ, ρ,¬ϕ〉}, b ∪ {〈σ, ρ,¬ψ〉}}

Rules (¬¬), (¬∧) and (∧) are exactly as for propositional logic. Rules (¬2a) and2a are different from their counterparts commonly used in tableau calculi for normalmodal logic. The intuition behind Rule (¬2a) is that if the possible world that σ standsfor satisfied ¬2aϕ after the update sequence ρ then it needs to satisfy the followingconditions: there exists a possible world that is represented by σan (the form of σanindicates that there is an a-arrow from σ to σan); 〈σan, ρ|a,X〉means the a-arrow fromσ to σan will be preserved after the update sequence ρ|a; 〈σan, ρ|a,¬ϕ〉 means ¬ϕ istrue in σan after the update sequence ρ|a. Similarly, Rule (2a) means that 2aϕ is truein σ after ρ if and only if for each possible world that is accessible by a-arrow from σ:either the a-arrow is removed after ρ|a, or ϕ is true in it after ρ|a.


〈σ, ρ,¬¬ϕ〉(¬¬)

〈σ, ρ, ϕ〉

〈σ, ρ,¬(ϕ ∧ ψ)〉(¬∧)

〈σ, ρ,¬ϕ〉 | 〈σ, ρ,¬ψ〉

〈σ, ρ, ϕ ∧ ψ〉(∧)

〈σ, ρ, ϕ〉〈σ, ρ, ψ〉

〈σ, ρ,¬2aϕ〉(¬2a) σan is new.〈σan, ρ|a,X〉

〈σan, ρ|a,¬ϕ〉

〈σ, ρ,2aϕ〉(2a) σan is used.〈σan, ρ|a, ϕ〉 | 〈σan, ρ|a,X〉

〈σ, ρ,¬[U,G]ϕ〉(¬[U,G])

〈σ, ρ[U,G],¬ϕ〉〈σ, ρ, [U,G]ϕ〉

([U,G])〈σ, ρ[U,G], ϕ〉

〈σan, ρ[U,G],X〉(X1) (ψi, a, χi) ∈ U for each 1 ≤ i ≤ k

〈σan, ρ,X〉〈σ, ρ, ψ1〉〈σan, ρ, χ1〉

∣∣∣∣∣∣. . .∣∣∣∣∣∣〈σan, ρ,X〉〈σ, ρ, ψk〉〈σan, ρ, χk〉

〈σan, ρ[U,G],X〉(X2) there are no ψ and χ such that (ψ, a, χ) ∈ U

〈σan, ε,X〉〈σan, ε,X〉

〈σan, ρ[(ψ, a, χ), G],X〉(X1)

〈σan, ρ,X〉 | 〈σ, ρ,¬ψ〉 | 〈σan, ρ,¬χ〉

〈σan, ρ[U,G],X〉(X2)

|U | = k, k ≥ 2 and (ψi, ai, χi) ∈ Ufor each 1 ≤ i ≤ k〈σan, ρ[(ψ1, a1, χ1), G],X〉

...〈σan, ρ[(ψk, ak, χk), G],X〉

Table 6.1: Tableau rules


1. 〈0, ε, [(q, b, q), b]2ap ∧ ¬2ap〉2. 〈0, ε, [(q, b, q), b]2ap〉 (Rule (∧): 1)3. 〈0, ε,¬2ap〉 (Rule (∧): 1)4. 〈0, [(q, b, q), b],2ap〉 (Rule ([U,G]): 2)5. 〈0a1, ε,X〉 (Rule (¬2a): 3)6. 〈0a1, ε,¬p〉 (Rule (¬2a): 3)

7. 〈0a1, ε, p〉 (Rule (2a): 4) 8. 〈0a1, ε,X〉 (Rule (2a): 4)closed (6, 7) closed (5, 8)

Figure 6.5: Closed tableau for the formula [(q, b, q), b]2ap ∧ ¬2ap

Rule (¬[U,G]) and Rule ([U,G]) reflect the feature of the semantics that the updatesare just remembered and they are used to update the possibility relation only when 2aformulas are evaluated. Rule (X1) means that the a-arrow is preserved after ρ[U,G] ifand only if it is firstly preserved after ρ and then preserved by some a-arrow specificationin U . Rule (X2) says it is not possible that the a-arrow from σ to σan is preserved afterρ[U,G] if there is no a-arrow specifications in U . Rule (X1) and Rule (X2) specifythe conditions under which the a-arrow from σ to σan will be removed. It is removedafter ρ[(ψ, a, χ), G] if either it is already removed after ρ, or it cannot be preserved thespecification (ψ, a, χ). Rule (X2) corresponds to the semantics that Ra ∗ (ρ[U,G]) =⋃

(ψ,a,χ)∈U Ra ∗ (ρ[(ψ, a, χ), G]). Please note that it is trivially true that any a-arrowwill be remove after ρ[(ψ, a′, χ), G] if a′ 6= a.

The following proposition is obvious according to the tableau rules.

Proposition 6.3.6 Given a tableau T and a branch b ∈ T , if 〈σ, ρ, x〉 ∈ b and x = X/Xthen σ = σ′an for some label σ′, a ∈ A and n ∈ N.

Definition 6.3.7 (Closed tableau) A branch b is closed if and only if we have either{〈σ, ρ, p〉, 〈σ, ρ′,¬p〉} ⊆ b for some σ, ρ, ρ′ and p, or {〈σan, ε,X〉, 〈σan, ε,X〉} ⊆ bfor some σan, otherwise it is open. A tableau is closed if and only if all its branches areclosed, otherwise it is open.

Example 6.3.8 In Figure 6.5, the tableau method is used to show the validity of oneinstance of the formula of Proposition 6.2.6. The rightmost column shows which tableaurule is applied in each line.

Next, we will show the soundness, but first we need another definition.

Definition 6.3.9 (Satisfiable branch) Given a Kripke modelM and a branch b, let fbe a function from the labels used in b to WM. We say b is satisfied byM and f if thefollowings hold.

• M, f(σ) �ρ ϕ for each 〈σ, ρ, ϕ〉 ∈ b;

• (f(σ), f(σan)) ∈ RMa ∗ ρ for each 〈σan, ρ,X〉 ∈ b;

• (f(σ), f(σan)) 6∈ RMa ∗ ρ for each 〈σan, ρ,X〉 ∈ b.


If there are such Kripke models and functions, we say b is satisfiable.

It is obvious that if b is satisfiable then all ϕ with (σ, ε, ϕ) ∈ b is satisfiable.

Theorem 6.3.10 (Soundness) If there is a closed tableau for ¬ϕ0, then ϕ0 is valid.

PROOF We show that if ϕ0 is satisfiable then there is no closed tableau for ϕ0. Ifϕ0 is satisfiable, it is obvious that the branch in the initial tableau for ϕ0 is satisfiable.Therefore, it is enough to show that all tableau rules preserve satisfiability, that is, if abranch b is satisfiable then at least one branch in B is satisfiable where B is the branchset generated by applying a tableau rule on b.

Suppose that there are a Kripke modelM and a function f by which the branch b issatisfied. Next we will show all tableau rules in Table 6.1 that are applicable to b preservesatisfiability. The rules (¬¬), (¬∧) and (∧) are analogues to the rules commonly usedfor propositional logic; we restrict our attention to the other rules.

1. Rule (¬2a): By the assumption, we have that 〈σ, ρ,¬2aϕ〉 ∈ b, B = {b ∪{〈σan, ρ|a,X〉, 〈σan, ρ|a,¬ϕ〉}} where σan is new in b. SinceM, f(σ) �ρ ϕ, itfollows that there exists t ∈ WM such that (f(σ), t) ∈ RMa ∗ ρ|a andM, t �ρ|a¬ϕ. Now consider the function f ′ such that f ′(σ′) = f(σ′) for all σ′ used in b andf ′(σan) = t. We then have (f ′(σ), f ′(σan)) ∈ RMa ∗ ρ|a andM, f ′(σan) �ρ|a¬ϕ. Therefore, the branch in B is satisfiable.

2. Rule (2a): For each σan which is used in b, we have either (f(σ), f(σan)) ∈RMa ∗ ρ|a or (f(σ), f(σan)) 6∈ RMa ∗ ρ|a. It follows by 〈σ, ρ,2aϕ〉 ∈ b thatM, f(σ) �ρ 2aϕ. If (f(σ), f(σan)) ∈ RMa ∗ ρ|a then we haveM, f(σan) �ρ|aϕ. Thus, the branch b∪ {〈σan, ρ|a, ϕ〉} is satisfiable. If (f(σ), f(σan)) 6∈ RMa ∗ρ|a, the branch b ∪ {〈σan, ρ|a,X〉} is satisfiable.

3. Rule (¬[U,G]): Since 〈σ, ρ,¬[U,G]ϕ〉 ∈ b, it follows by the assumption thatM, f(σ) �ρ ¬[U,G]ϕ. By semantics, it follows thatM, f(σ) �ρ ¬[U,G]ϕ iffM, f(σ) 2ρ [U,G]ϕ iff M, f(σ) 2ρ[U,G] ϕ iff M, f(σ) �ρ[U,G] ¬ϕ. SinceB = {b ∪ {〈σ, ρ[U,G],¬ϕ〉}}, the branch in B is satisfiable.

4. Rule ([U,G]): Since 〈σ, ρ, [U,G]ϕ〉 ∈ b, it follows by the assumption thatM, f(σ) �ρ[U,G]ϕ. By semantics, it follows thatM, f(σ) �ρ [U,G]ϕ iffM, f(σ) �ρ[U,G]

ϕ. Because of B = {b ∪ {〈σ, ρ[U,G], ϕ〉}}, thus the branch in B is satisfiable.

5. Rule (X1): Since we have 〈σan, ρ[U,G],X〉 ∈ b, it follows by the assumptionthat (f(σ), f(σan)) ∈ RMa ∗ρ[U,G]. It follows by semantics that (f(σ), f(σan)) ∈RMa ∗ρ and there exists (ψ, a, χ) ∈ U such thatM, f(σ) �ρ ψ andM, f(σan) �ρχ. Let b′ = b∪{〈σan, ρ,X〉, 〈σ, ρ, ψ〉, 〈σan, ρ, χ〉}, we then have b′ is satisfiable.Due to b′ ∈ B, thus one branch in B is satisfiable.

6. Rule (X2): Since b is satisfied byM and f , it is obvious that Rule (X2) is notapplicable to b.

7. Rule (X1): Since 〈σan, ρ[(ψ, a, χ), G],X〉 ∈ b, it follows by the assumptionthat (f(σ), f(σan)) 6∈ RMa ∗ ρ[(ψ, a, χ), G]. It follows by the semantics that(f(σ), f(σan)) 6∈ RMa ∗ ρ or M, f(σ) 2ρ ψ or M, f(σan) 2ρ χ. There-fore, we have that one branch of B = {b ∪ {〈σan, ρ,X〉}, b ∪ {〈σ, ρ,¬ψ〉}, b ∪{〈σan, ρ,¬χ〉}} is satisfiable.


8. Rule (X2): Since 〈σan, ρ[U,G],X〉 ∈ b, it follows that (f(σ), f(σan)) 6∈ RMa ∗ρ[U,G]. It follows by the semantics that RMa ∗ ρ[U,G] =

⋃(ψ,a,χ)∈U R

Ma ∗

ρ[(ψ, a, χ), G]. Therefore, we have (f(σ), f(σan)) 6∈ RMa ∗ ρ[(ψ, a′, χ), G] foreach (ψ,′ a, χ) ∈ U and a′ = a. If (ψ, a′, χ) ∈ U and a′ 6= a, it follows thatRMa ∗(ρ[(ψ, a′, χ), G]) = ∅. Thus we have that the branch b∪{〈σan, ρ[(ψ, a′, χ), G],X〉 |(ψ, a′, χ) ∈ U} is satisfiable.

2

In the rest of the section, we prove completeness. First, we need another auxiliarydefinition.

Definition 6.3.11 (Saturated tableau) A branch b is saturated if and only if it is satur-ated under all tableau rules, as defined below:

1. b is saturated under Rule (¬¬) if and only if 〈σ, ρ,¬¬ϕ〉 ∈ b implies 〈σ, ρ, ϕ〉 ∈ b;

2. b is saturated under Rule (¬∧) if and only if 〈σ, ρ,¬(ϕ∧ψ)〉 ∈ b implies 〈σ, ρ,¬ϕ〉 ∈b or 〈σ, ρ,¬ψ〉 ∈ b;

3. b is saturated under Rule (∧) if and only if 〈σ, ρ, (ϕ∧ψ)〉 ∈ b implies 〈σ, ρ, ϕ〉 ∈ band 〈σ, ρ, ψ〉 ∈ b;

4. b is saturated under Rule (¬2a) if and only if 〈σ, ρ,¬2aϕ〉 ∈ b implies that{〈σan, ρ|a,X〉, 〈σan, ρ|a,¬ϕ〉} ⊂ b for some n ∈ N;

5. b is saturated under Rule (2a) if and only if 〈σ, ρ,2aϕ〉 ∈ b implies that for eachσan occurring in b we have 〈σan, ρ|a,X〉 ∈ b or 〈σan, ρ|a, ϕ〉 ∈ b;

6. b is saturated under Rule (¬[U,G]) if and only if 〈σ, ρ,¬[U,G]ϕ〉 ∈ b implies〈σ, ρ[UG],¬ϕ〉 ∈ b;

7. b is saturated under Rule ([U,G]) if and only if 〈σ, ρ, [U,G]ϕ〉 ∈ b implies〈σ, ρ[UG], ϕ〉 ∈ b;

8. b is saturated under Rule (X1) if and only if 〈σan, ρ[U,G],X〉 ∈ b implies{〈σan, ρ,X〉, 〈σ, ρ, ψ〉, 〈σan, ρ, χ〉} ⊂ b for some (ψ, a, χ) ∈ U ;

9. b is saturated under Rule (X2) if and only if 〈σan, ρ[U,G],X〉 ∈ b implies{〈σan, ε,X〉, 〈σ, ε,X〉, } ⊂ b;

10. b is saturated under Rule (X1) if and only if 〈σan, ρ[(ψ, a, χ), G],X〉 ∈ b implies〈σan, ρ,X〉 ∈ b or 〈σ, ρ,¬ψ〉 ∈ b or 〈σan, ρ,¬χ〉 ∈ b.

11. b is saturated under Rule (X2) if and only if 〈σan, ρ[U,G],X〉 ∈ b implies that{〈σan, ρ[(ψ, a′, χ), G],X〉 | (ψ, a′, χ) ∈ U} ⊂ b, where there are at least twospecifications in U .

We say a tableau is saturated if and only if all its branches are saturated.

The following two propositions are obvious by the tableau rules.


Proposition 6.3.12 Given a saturated tableau T and a branch b ∈ T , if 〈σan, ρ,X〉 ∈ bthen 〈σan, ε,X〉 ∈ b.

Proposition 6.3.13 Given a saturated tableau T and a branch b ∈ T , if a label σanoccurs in b then 〈σan, ε,X〉 ∈ b.

Now, we are ready to prove the completeness.

Theorem 6.3.14 (completeness) If ϕ0 is valid, there is a closed tableau for ¬ϕ0.

PROOF We only need to show that if all tableaux for ϕ0 are open then ϕ0 is satisfiable.Since each tableau for ϕ0 can be extended to be saturated and there is at least one tableaufor ϕ0, i.e. the initial tableau, there exists an open and saturated tableau for ϕ0 if all itstableaux are open.

Let T be an open and saturated tableau for ϕ0 and b be an open and saturated branchof T . In order to show ϕ0 is satisfiable, we only need to show that the branch b issatisfiable in the sense of Definition 6.3.9. Next we will construct a modelMc and wewill show that b is satisfied byMc. The modelMc = 〈W,R, V 〉 is defined as follows.

W = {σ | σ is used in b}Ra = {(σ, σan) | (σan, ε,X) ∈ b} for each a ∈ Agt

V (p) = {σ | (σ, ρ, p) ∈ b for some ρ}

Please note that if σan is used in b then so is σ.By induction on the length of terms, we will show that b is satisfied byMc and I ,

where I is the function I(σ) = σ. For abbreviation, we will write I(σ) as σ. For thecase of l(ρ, x) = 0, the term (ρ, x) can only be of the form (ε,X) or (ε,X). Furthermore,it cannot be of the form (ε,X). Assuming (σan, ε,X) ∈ b for some label σan, it followsby Proposition 6.3.13 that (σan, ε,X) ∈ b, this is in contradiction with that b is open.Therefore, in this case, we only need to show that (σ, σan) ∈ Ra for each σan with(σan, ε,X) ∈ b, which is obvious by the definition of the modelMc.

With the inductive hypothesis that each labelled term (σ, ρ, x) ∈ b with l(ρ, x) < nsatisfies the conditions declared in Definition 6.3.9, we will show that each labelled term(σ, ρ, x) ∈ b with l(ρ, x) = n also satisfies the conditions, where n ≥ 1.

If x is a formula, there are different cases according to the form of the formula, asbelow:

1. (σ, ρ, p) ∈ b: It is obvious thatMc, σ �ρ p.

2. (σ, ρ,¬p) ∈ b: Assuming σ ∈ V (p), it follows that (σ, ρ′, p) ∈ b for some ρ′.This is in contradiction with the assumption that b is open. Therefore, we haveσ 6∈ V (p), namelyMc, σ �ρ ¬p.

3. (σ, ρ,¬¬ϕ) ∈ b: Since b is saturated, it follows that (σ, ρ, ϕ) ∈ b. Since l(ρ, ϕ) <l(ρ,¬¬ϕ), it follows by IH thatMc, σ �ρ ϕ. Therefore, we haveMc, σ �ρ ¬¬ϕ.

4. (σ, ρ, ϕ∧ψ) ∈ b: Since b is saturated, it follows that (σ, ρ, ϕ) ∈ b and (σ, ρ, ψ) ∈b. Since l(ρ, ϕ), l(ρ, ψ) < l(ρ, ϕ ∧ ψ), it follows by IH that Mc, σ �ρ ϕ andMc, σ �ρ ψ. Therefore, we haveMc, σ �ρ ϕ ∧ ψ.


5. (σ, ρ,¬(ϕ ∧ ψ)) ∈ b: Since b is saturated, it follows that (σ, ρ,¬ϕ) ∈ b or(σ, ρ,¬ψ) ∈ b. Since l(ρ,¬ϕ), l(ρ,¬ψ) < l(ρ,¬(ϕ ∧ ψ)), it follows by IHthatMc, σ �ρ ¬ϕ orMc, σ �ρ ¬ψ. Therefore, we haveMc, σ �ρ ¬(ϕ ∧ ψ).

6. (σ, ρ,¬2aϕ) ∈ b: Since b is saturated, it follows that (σan, ρ|a,¬ϕ) ∈ b and(σan, ρ|a,X) ∈ b for some n ∈ N. Since l(ρ|a,¬ϕ), l(ρ|a,X) < l(ρ,¬2aϕ),it follows by IH that (σ, σan) ∈ Ra ∗ (ρ|a) andMc, σ �ρ|a ¬ϕ. Therefore, wehaveMc, σ �ρ ¬2aϕ.

7. (σ, ρ,2aϕ) ∈ b: Let σ′ ∈W be a state with (σ, σ′) ∈ Ra∗(ρ|a). In order to showMc, σ �ρ 2aϕ, we need to show thatMc, σ′ �ρ|a ϕ. Since Ra ∗ (ρ|a) ⊆ Ra, itfollows that σ′ = σan for some n ∈ N. Assuming (σan, ρ|a,X) ∈ b, it followsby IH that (σ, σan) 6∈ Ra∗(ρ|a). This is in contradiction with the assumption that(σ, σ′) ∈ Ra ∗ (ρ|a). Therefore, we have (σan, ρ|a,X) 6∈ b. Since b is saturated,it follows that (σan, ρ|a, ϕ) ∈ b. It follows by IH thatMc, σan �ρ|a ϕ.

8. (σ, ρ,¬[U,G]ϕ) ∈ b: Since b is saturated, it follows that (σ, ρ[U,G],¬ϕ) ∈ b.Since l(ρ[U,G],¬ϕ) < l(ρ,¬[U,G]ϕ), it follows by IH thatMc, σ �ρ[U,G] ¬ϕ.Therefore, we haveMc, σ �ρ ¬[U,G]ϕ.

9. (σ, ρ, [U,G]ϕ) ∈ b: Since b is saturated, it follows that (σ, ρ[U,G], ϕ) ∈ b. Sincel(ρ[U,G], ϕ) < l(ρ, [U,G]ϕ), it follows by IH thatMc, σ �ρ[U,G] ϕ. Therefore,we haveMc, σ �ρ [U,G]ϕ.

If x in the term (ρ, x) is of the form X or X, we have ρ is not ε because l(ρ, x) ≥ 1.There are different cases, as below:

1. (σan, ρ[U,G],X) ∈ b and there exists an a-arrow specification in U : Since bis saturated, it follows that {〈σan, ρ,X〉, 〈σ, ρ, ψ〉, 〈σan, ρ, χ〉} ⊂ b for some(ψ, a, χ) ∈ U . Since l(ρ,X), l(ρ, ψ), l(ρ, χ) < l(ρ[U,G],X), it follows byIH that (σ, σan) ∈ Ra ∗ ρ, Mc, σ �ρ ψ and Mc, σan �ρ χ. It follows that(σ, σan) ∈ Ra ∗ (ρ[U,G]).

2. (σan, ρ[U,G],X) ∈ b and there are no a-arrow specifications in U : Due to Rule(X2) and the fact that b is open and saturated, this case is impossible.

3. (σan, ρ[(ψ, a′, χ), G],X) ∈ b: If a′ 6= a, it follows that Ra ∗ (ρ[(ψ, a′, χ), G]) =∅. It is obvious (σ, σan) 6∈ Ra ∗ (ρ[(ψ, a′, χ), G]). If a′ = a, it follows byRule (X1) that 〈σan, ρ,X〉 ∈ b, or 〈σ, ρ,¬ψ〉 ∈ b, or 〈σan, ρ,¬χ〉 ∈ b. Sincel(ρ,X), l(ρ,¬ψ), l(ρ,¬χ) < l(ρ[(ψ, a, χ), G],X), it follows by IH that (σ, σan) 6∈Ra ∗ ρ, or Mc, σ �ρ ¬ψ, or Mc, σan �ρ ¬χ. Each of them can derive that(σ, σan) 6∈ Ra ∗ (ρ[(ψ, a, χ), G]).

4. (σan, ρ[U,G],X) ∈ b and |U | ≥ 2: If there are no a-arrow specifications in U , itis obvious that (σ, σan) 6∈ Ra ∗ (ρ[U,G]) since Ra ∗ (ρ[U,G]) = ∅. Otherwise,let (ψ1, a, χ1), · · · , (ψk, a, χk) be all the a-arrow specifications in U . Since bis saturated, it follows by Rule (X2) that 〈σan, ρ[(ψi, a, χi), G],X〉 ∈ b for all1 ≤ i ≤ k. Since l(ρ[(ψi, a, χi), G],X) < l([U,G],X) for all 1 ≤ i ≤ k dueto |U | ≥ 2, it follows by IH that (σ, σan) 6∈ Ra ∗ (ρ[(ψi, a, χi), G]) for all1 ≤ i ≤ k. Since Ra ∗ (ρ[U,G]) =

⋃1≤i≤k Ra ∗ (ρ[(ψi, a, χi), G]), we have

(σ, σan) 6∈ Ra ∗ (ρ[U,G]).


We have shown that all labelled terms in b satisfy the conditions declared in Defini-tion 6.3.9. Since 〈0, ε, ϕ0〉 ∈ b, thus we haveMc, 0 � ϕ0. 2

6.4 DecidabilityIn this section, we will show that PAUL is decidable, that is, the problem whether anPAUL formula ϕ is satisfiable can be answered in a finite number of steps. Our methodis to show that PAUL has small model property. We will show that each satisfiablePAUL formula ϕ has a bounded small model in which ϕ is true. From the proof ofTheorem 6.3.14, we have seen that we can construct a model for ϕ based on a saturatedopen branch if ϕ is satisfiable, and each state in the model is exactly a label used in thebranch. Therefore, the key is to show that there are only finitely many labels used in thetableau branch.

For the commonly used tableau calculus for normal modal logic, each formula oc-curring in the tableau is a subformula of the destination formula, and this feature plays animportant role to show the decidability of normal modal logic through tableau method.Similarly, we will define the notation of subterm here, and we will show that all termsoccurring in the tableau are subterms.

Definition 6.4.1 (Subterm) Given a term (ρ, x), the set of subterm of (ρ, x), denotedas sub(ρ, x), is defined as below.

sub(ε,X/X) = {(ε,X/X)}sub(ρ[(ψ, a, χ), G],X/X) = {(ρ[(ψ, a, χ), G],X/X)} ∪ sub(ρ, ψ) ∪ sub(ρ, χ)

sub(ρ[U,G],X/X) = {(ρ[U,G],X/X)} ∪⋃

(ψ,a,χ)∈U

sub(ρ[(ψ, a, χ), G],X/X)

where |U | ≥ 2

sub(ρ, p) = {(ρ, p)} ∪ sub(ρ,X) ∪ sub(ρ,X)

sub(ρ,¬ϕ) = {(ρ,¬ϕ)} ∪ sub(ρ, ϕ)

sub(ρ, ϕ ∧ ψ) = {(ρ, ϕ ∧ ψ)} ∪ sub(ρ, ϕ) ∪ sub(ρ, ψ)

sub(ρ,2aϕ) = {(ρ,2aϕ)} ∪ sub(ρ|a, ϕ)

sub(ρ, [U,G]ϕ) = {(ρ, [U,G]ϕ)} ∪ sub(ρ[U,G], ϕ)

Let sub+(ρ, x) be the set {(ρ,¬ϕ) | (ρ, ϕ) ∈ sub(ρ, x)} ∪ sub(ρ, x).

The following proposition states some properties of the subterm set.

Proposition 6.4.2 We have the following results.

• sub(ρ, x) is finite;

• (ρ,X/X) ∈ sub(ρ, ϕ);

• (ρ, x) ∈ sub(ρ′, x′) implies sub(ρ, x) ⊆ sub(ρ′, x′).

Proposition 6.4.3 Let T be a tableau for ϕ0 and b be a branch of T . If (σ, ρ, x) ∈ bthen (ρ, x) ∈ sub+(ε, ϕ0).


PROOF According to Definition 6.3.5, we prove this by induction on the process ofconstruction of T . For the initial tableau {{(0, ε, ϕ0)}}, it is obvious. Next, we onlyneed to show that all the tableau rules in Table 6.1 preserve the subterm property. Thecases of the rules (¬¬), (¬∧), (∧), ([U,G]) and (X2) are obvious; we will restrict ourattention to the other rules.

1. Rule (¬2a): If (ρ,¬2aϕ) ∈ sub+(ε, ϕ0), then we have (ρ,2aϕ) ∈ sub(ε, ϕ0).Because (ρ|a, ϕ) ∈ sub(ρ,2aϕ), it follows by Proposition 6.4.2 that (ρ|a,X),(ρ|a, ϕ) ∈ sub+(ε, ϕ0).

2. Rule (2a): If (ρ,2aϕ) ∈ sub+(ε, ϕ0), then we have (ρ,2aϕ) ∈ sub(ε, ϕ0).Because (ρ|a, ϕ) ∈ sub(ρ,2aϕ), it follows by Proposition 6.4.2 that (ρ|a,X),(ρ|a, ϕ) ∈ sub+(ε, ϕ0).

3. Rule (¬[U,G]): If (ρ,¬[U,G]ϕ) ∈ sub+(ε, ϕ0), then we have (ρ, [U,G]ϕ) ∈sub(ε, ϕ0). Since (ρ[U,G], ϕ) ∈ sub(ρ, [U,G]ϕ), it follows by Proposition 6.4.2that (ρ[U,G], ϕ) ∈ sub(ρ, ϕ0). Therefore, we have (ρ[U,G],¬ϕ) ∈ sub+(ρ, ϕ0).

4. Rule (X1): If (ρ[U,G],X) ∈ sub+(ε, ϕ0) then (ρ[U,G],X) ∈ sub(ε, ϕ0). Let(ψ, a, χ) ∈ U . We have (ρ[(ψ, a, χ), G],X) ∈ sub(ε, ϕ0). Since (ρ, ψ), (ρ, χ) ∈sub(ρ[(ψ, a, χ), G],X), we have (ρ, ψ), (ρ, χ) ∈ sub(ε, ϕ0). It follows by Pro-position 6.4.2 that (ρ,X) ∈ sub(ρ, ψ), thus we also have (ρ,X) ∈ sub(ρ, ϕ0).

5. Rule (X2): It follows by Proposition 6.4.2 that (ε,X), (ε,X) ∈ sub(ε, ϕ0).

6. Rule (X1): If (ρ[(ψ, a, χ), G],X) ∈ sub+(ε, ϕ0), then (ρ[(ψ, a, χ), G],X) ∈sub(ε, ϕ0). Since (ρ, ψ), (ρ, χ) ∈ sub(ρ[(ψ, a, χ), G],X), we have (ρ, ψ), (ρ, χ) ∈sub(ε, ϕ0). Therefore, we have (ρ,¬ψ), (ρ,¬χ) ∈ sub+(ε, ϕ0). It follows byProposition 6.4.2 that (ρ,X) ∈ sub(ρ, ψ), thus we also have (ρ,X) ∈ sub(ρ, ϕ0).

2

Proposition 6.4.4 Let T be a tableau for ϕ0, and let b be a branch of T . If σ is a labelpresent in b, then there are at most k labels present in b with the form of σan for somen ∈ N, where k = |sub+(ε, ϕ0)|.

PROOF It follows by Definition 6.3.5 that each label σan present in b is generated byapplying the rule (¬2a) to a labelled term (σ, ρ,¬2aϕ) ∈ b. According to Proposition6.4.3, there are at most k terms labelled with σ in b. Therefore, there are at most k labelspresent in b with the form of σan for some n ∈ N. 2

Definition 6.4.5 (Length of label) The length of a label σ, denoted by |σ|, is defined byinduction on σ: |n| = 0; |σan| = |σ|+ 1.

Proposition 6.4.6 Let T be a tableau for ϕ0 and b be a branch of T . If (σ, ρ, x) ∈ bthen |σ| ≤ l(ϕ0)− l(ρ, x).

PROOF Following Definition 6.3.5, the proof is by induction on the process of con-struction of T . For the initial tableau {{(0, ε, ϕ0)}}, it is obvious. Next we will showthat this property is preserved by all the tableau rules. The cases of the rules (¬¬), (¬∧),(∧) and (X2) are obvious; we will restrict our attention to the other rules.


Proposition 6.4.4 that each label in the tree has at most k children. It follows by Pro-position 6.4.6 that the depth of the tree is bounded by m. Therefore, there are at mostkO(m) labels used in b. 2

Theorem 6.4.8 (Decidability) The problem whether ϕ0 is satisfiable is decidable.

PROOF It follows by Lemma 6.4.7 that we only need to check all the models no biggerthan kO(m) where k = |sub+(ε, ϕ0)| and m = l(ϕ0), and this procedure can terminatein finitely many steps. 2

6.5 ConclusionThis chapter presented the theory PAUL of Private Arrow Update Logic, which extendsthe arrow update of AUL with a relativized subgroup of agents. Public, private and semi-private announcements can be modeled in this framework. PAUL still is a particular caseof GAUL, since some information change, like cheating, cannot be modeled in PAUL.This chapter also provided a sound and complete tableau method of PAUL and showedthat PAUL is decidable.

In Kooi and Renne (2011a), an axiomatic theory for AUL is provided by the reduc-tion axiom method of DEL (see also Baltag and Moss (2004); Baltag et al. (1998); Ger-brandy (1999); Plaza (2007); van Benthem et al. (2006); van Ditmarsch et al. (2007)).Similarly, we can have the PAUL version reduction axioms. Especially, the reductionaxioms of 2a formula are as below.

[U,G]2aϕ↔∧

(ψ,a,χ)∈U

(ψ → 2a(χ→ [U,G]ϕ)) a ∈ G

[U,G]2aϕ↔ 2aϕ a 6∈ G

Propositions 6.2.5 and 6.2.6 have shown that these two formulas are valid. Therefore, wecan have an axiomatic theory for PAUL. The only difference is that there is a reductionaxiom for the composition of two updates in Kooi and Renne (2011a), but we cannotgenerally combine two updates [U1, G1][U2, G2] here, because it might be the case thatG1 6= G2. However, this will not be a problem. It is shown in Wang and Cao (2013)that the reduction axiom of composing two update operators is not necessary. Withoutthe composition axiom, we can still complete the reduction by defining the reductionfunction as r([U1, G1][U2, G2]ϕ) = r([U1, G1]r([U2, G2]ϕ)). Therefore, the reductionaxiom method indeed works for PAUL. Since most of the proofs are similar to those forAUL in Kooi and Renne (2011a), we do not prove it in this chapter.

For future research, we can try to give an optimal algorithm for the satisfiabilityproblem of PAUL by taking a depth-first search strategy on the tableau method. Sinceeach AUL formula can be equivalently translated into a PAUL formula by replacing theupdate [U ] by [U,Agt], the tableau method presented in this chapter can apply to AUL.Therefore, the optimal algorithm for PAUL (if there is one) will also be an algorithm forAUL and might also be optimal.

Another direction for future research is to apply Arrow Update Logic to knowinghow. The main feature of Arrow Update Logic is that it updates information but does

6.5. CONCLUSION 123

not eliminate states. This makes it more suitable for modeling information update inknowing how. For example, a doctor may not know how to treat a patient since the onlytwo available medicines a and b may cause some very bad side-effect. That is, thereis an a-arrow and a b-arrow from the current state to the bad side-effect state. If theinformation is updated, for example, a new scientific discovery shows that a will notcause the bad effect, then the doctor should know how to treat the patient. This kind ofinformation update will eliminate arrows but not states.

Chapter 7

Conclusion

This thesis investigates planning under uncertainty from a logical point of view. In arti-ficial intelligence, conformant planning, which is the simplest version of planning underuncertainty, is to find a linear sequence of actions to achieve goals, where the agentis uncertain about his situation. Conformant probabilistic planning extends conform-ant planning by extending the uncertainties with probability distributions. Contingentplanning generalizes the solution of conformant planning to be a strategy, a partial func-tion from belief spaces to actions. Chapter 2 proposes a logical framework to capturehow the probability distribution (which stands for the agent’s uncertainty) updates alongthe execution of a plan in conformant probabilistic planning. Chapter 3 and 4 buildknowing-how logics by developing the idea of interpreting knowing how to achieve agoal as having a conformant plan for achieving the goal. Chapter 5 proposes a knowing-how logic by adopting the idea of reducing knowledge-how as having a contingent plan.Chapter 6 extends the theory of arrow update logic (AUL) with the motivation that AULprovides a proper way to model the information change in the knowing-how logic pro-posed in Chapter 5.

Chapter 2 developed a logical framework for conformant probabilistic planning.This approach differs from existing approaches to conformant probabilistic planningby focussing on a logical language with which to specify plans and goals. The particularlogic also allows for reasoning about the change of the belief state of the agent (whichis a probability distribution over states) during the execution of actions. In this logic, wecan enrich conformant probabilistic planning by thinking of the goal as a formula, whichmay be more convenient when we formulate goals that are probabilistic in nature. Weprovided a complete axiomatization of the logic, which shows it is rather well-behavedfor a logic that deals with conformant probabilistic planning. We also proved this logicto be decidable.

Chapter 3 and 4 extended Wang’s knowing-how logic, in which knowing how toachieve a goal is interpreted as having a conformant plan. Chapter 3 extended the ori-ginal binary knowing-how modality to be a ternary modality, which can express that theagent knows how to achieve a goal from a specific position while taking a route thatsatisfies some constraints. We presented a sound and complete axiomatization for thisextended knowing-how logic and showed this logic to be decidable by using the filtrationmethod. Chapter 4 weakens the binary knowing-how logic by interpreting knowing how

125

126 CHAPTER 7. CONCLUSION

to achieve a goal as having a weak conformant plan. The demands that a conformantplan puts on the plan may be too strong, in the sense that a plan is not supposed to failduring the execution. A weak conformant plan, on the other hand, is a plan that will al-ways result in the goals when the execution of the plan terminates, even if the executionis not completed. We argued that it is sufficient to say that one knows how to achievea goal if he (she) has a weak conformant plan for achieving the goal. We presented asound and complete axiomatization for this weaker logic and showed that this logic tobe decidable.

Inspired by contingent planning, Chapter 5 extended epistemic logic with a unaryknowing-how modality which is interpreted as having a strategy for achieving goals. Itis called strategically knowing-how logic. In this logic framework, we investigated theinteractions between knowledge-that and knowledge-how. We also presented a soundand complete axiomatization of this logic and showed this logic to be decidable. Toreason about information change due to announcements in the strategically knowing-how logic, Chapter 6 investigated arrow update logic. The standard arrow update logiccannot describe information change caused by private events. Chapter 6 extended it todeal with private announcements. We presented a sound and complete tableau systemfor this extended logic and showed it is decidable.

There is a lot more to explore. Even though in each chapter we have shown thelogic to be decidable, we have not touched upon the issue of complexity. How is themodel theory of each logic? For instance, what kinds of model classes are definable inthe logic, and what kinds of structure are not distinguished by the logic (i.e. what is the“bisimulation” of the logic)? Besides these, there are two that I think are very muchworth while.

The first one is to cast all the standard AI planning problems into one unified lo-gical framework to facilitate careful comparisons and classification. As it is mentionedin Chapter 1.2, EPDL can apply for conformant planning. Moreover, the language ofEPDL is powerful enough to express contingent plans. The logic proposed in Chapter 2of this thesis can apply for conformant probabilistic planning. If we merge these twologics and generalize the model with partial observability, the logical framework candeal with all kinds of planning problems under uncertainty: conformant planning, con-formant probabilistic planning, contingent planning, and contingent planning extendedwith probabilities. We will then see clearly how the form of the goal formula, the con-structor of the plan, and the observational ability matter in the theoretical and practicalcomplexity of planning, which is in line with the research pioneered in Backstrom andJonsson (2011).

The other is to consider knowing how in multi-agent settings and to model the groupnotions of knowing how. One of the main reasons that contribute to epistemic logic’sgreat success is that it is very useful when applied to situations involving more than oneagent. It can model the group notions of propositional knowledge, such as common(propositional) knowledge and distributed (propositional) knowledge. Similarly, thereare also such group notions of knowledge-how. For example, if you know how to reachs2 from s1 and I know how to reach s3 from s2, then we two together will know how toreach s3 from s1. This is a distributed knowledge-how. Distributed knowledge-how canbe viewed as the ability that a “highly skilled person” in a group has, one who can do allthe actions that each member of the group can do. Common knowledge-how of a groupcan be viewed as the ability that every member of the group has.

Appendix A

Logical background

A.1 Epistemic logicEpistemic logic proposed by Hintikka (1962) is a modal logic concerned with reasoningabout knowledge expressed by knowing that p, where p is a proposition. This subsectionwill introduce the language, the semantics and the proof system S5 of epistemic logic.Moreover, we will introduce some basic logical concepts, such as validity, consistency,soundness, completeness.

Let P be a countable set of proposition letters.

Definition A.1.1 (Language) The language of epistemic logic is defined as below.

ϕ ::= > | p | ¬ϕ | (ϕ ∧ ϕ) | Kϕ

where p ∈ P. We use the following abbreviations: ⊥ := ¬>, ϕ ∨ ψ := ¬(¬ϕ ∧ ¬ψ),ϕ→ ψ := ¬ϕ ∨ ψ.

Intuitively, the formula Kϕ means that the agent knows that ϕ holds. The languageof epistemic logic is interpreted on models defined below.

Definition A.1.2 (Models) A model is a tripleM = 〈S,∼, V 〉 where

• S 6= ∅ is a set of states;

• ∼ is an equivalence relation on S;


For each s ∈ S, (M, s) is called a pointed model.

Definition A.1.3 (Semantics) Let (M, s) be a pointed model. A formula ϕ being truthinM, s, denoted asM, s � ϕ, is defined as below.

M, s � > alwaysM, s � p ⇐⇒ p ∈ V (s).M, s � ¬ϕ ⇐⇒ M, s 2 ϕ.M, s � (ϕ ∧ ψ) ⇐⇒ M, s � ϕ andM, s � ψ.M, s � Kϕ ⇐⇒ M, t � ϕ for each t with s ∼ t

127

128 APPENDIX A. LOGICAL BACKGROUND

Next, we introduce the concept of validity, which is a crucial notion of the semanticsof a logic framework.

Definition A.1.4 (Semantic consequence) Let Γ be a set of formulas. We write “M, s �ψ for all ψ ∈ Γ” asM, s � Γ. We say ϕ is a semantic consequence of Γ, denoted asΓ � ϕ, ifM, s � Γ impliesM, s � ϕ for each pointed model (M, s).

We say a formula ϕ is valid, denoted as � ϕ, if ∅ � ϕ. In other words, ϕ is valid ifM, s � ϕ for each pointed model (M, s). We say ϕ is satisfiable if there exists (M, s)such thatM, s � ϕ.

The following is the deductive system of epistemic logic, which is known as S5.

Definition A.1.5 (Deductive system S5) The axioms and rules shown in Table A.1 con-stitute the deductive system S5.

AXIOMSAll instances of propositional tautologies

DISTK K(ϕ→ ψ)→ (Kϕ→ Kψ)T Kϕ→ ϕ4 Kϕ→ KKϕ5 ¬Kϕ→ K¬Kϕ

RULESMP From ϕ→ ψ and ϕ, infer ψGEN From ϕ, infer Kϕ

Table A.1: System S5

Next, we introduce the concept of derivation, which is a core notion of the deductivesystem of a logic framework.

Definition A.1.6 (Derivation) A finite sequence of formulas ϕ1 · · ·ϕn is called a deriv-ation if each ϕi (1 ≤ i ≤ n) is either an instance of an axiom of S5 or following fromthe preceding formulas in the sequence by a rule of S5. We say ϕ is derivable in S5,written as S5 ` ϕ or sometimes just ` ϕ, if there is a derivation ϕ1 · · ·ϕnϕ. Otherwise,we say ϕ is not derivable in S5 (written as 0 ϕ).

Let Γ be a set of formulas. We say ϕ is derivable from Γ (written as Γ ` ϕ) if thereare finite formulas ϕ1, · · · , ϕn ∈ Γ such that ` (ϕ1 ∧ · · · ∧ ϕn) → ϕ. Otherwise, wesay ϕ is not derivable from Γ (written as Γ 0 ϕ). We say Γ is S5-consistent (or justconsistent) if Γ 0 ⊥. Otherwise, we say Γ is inconsistent.

The following concepts, soundness and completeness, connect the deductive systemand the semantics. If the deductive system is sound and complete, it means the formulasderived in the deductive system coincide with the formulas valid to the semantics.

Definition A.1.7 (Soundness and completeness) We say S5 is sound with respect tothe semantics if ` ϕ implies � ϕ for each formula ϕ.

We say S5 is complete with respect to the semantics if � ϕ implies ` ϕ for eachformula ϕ. We say S5 is strongly complete if Γ � ϕ implies Γ ` ϕ.

A.2. PROBABILISTIC DYNAMIC EPISTEMIC LOGIC 129

Theorem A.1.8 S5 is sound and strongly complete with respect to the semantics ofDefinition A.1.3.

A.2 Probabilistic dynamic epistemic logicProbabilistic dynamic epistemic logic (PDEL) proposed by Kooi (2003) is a combinationof the public announcement logic Plaza (2007) (which is a simple and intuitive kindof dynamic epistemic logic) and the probabilistic logic by Fagin et al. (1990), whichfocuses on reasoning about probability, information, and information change and takeshigher order information into account. Just like the probabilistic logic, PDEL is anextension of the linear inequality logic. This subsection will introduce the language, thesemantics, and the deductive system of PDEL. Before that, we first introduce the linearinequality logic.

A.2.1 Linear inequality logicThe linear inequality logic proposed in Fagin et al. (1990) is a logic for reasoning aboutlinear inequalities. Fagin et al. introduced the linear inequality logic in their paper aboutprobabilistic logic because the atomic probabilistic formula is a linear inequality. Theprobabilistic logic proposed in Fagin et al. (1990) is an extension of linear inequalitylogic. In this part, we first introduce the language, the semantics, and the deductivesystem of linear inequality logic, and second, we introduce some important properties(on solvability and decidability) of linear inequalities.

Let X be a countable set of variables.

Definition A.2.1 (Language) The language is defined as below.

ϕ ::=a0x0 + · · ·+ anxn ≥ q | ¬ϕ | (ϕ ∧ ϕ)

where n ∈ N, xi ∈ X and ai, q ∈ Q for all 0 ≤ i ≤ n. We call formulas of the formsa0x0 + · · ·+ anxn ≥ q or ¬(a0x0 + · · ·+ anxn ≥ q) linear inequalities.

Please note that¬(a0x0+· · ·+anxn ≥ q) can also be written as a0x0+· · ·+anxn <q or (−1)a0x0 + · · ·+ (−1)anxn > q.

Definition A.2.2 (Model) A modelA is an assignment function that assigns a real num-ber to every variable x ∈ X .

Definition A.2.3 (Semantics) The satisfaction relation between an assignment and aformula is defined as below.

A � a0x0 + · · ·+ anxn ≥ q ⇐⇒ a0A(x0) + · · ·+ anA(xn) ≥ q.A � ¬ϕ ⇐⇒ A 2 ϕ.A � (ϕ ∧ ψ) ⇐⇒ A � ϕ and A � ψ.

We say ϕ is satisfiable/solvable if there exists an assignment A such that A � ϕ.

Definition A.2.4 (Deductive system) The axioms and rules shown in Table A.2 consti-tute the deductive system SLIL.


AXIOMSAll instances of propositional tautologies

Linear inequality axiomsIdentity x ≥ x0 terms

∑ni=1 qixi ≥ q ↔

∑ni=1 qixi + 0x′ ≥ q

Permutation∑ni=1 qixi ≥ q →

∑ni=1 qkixki ≥ q

where k1, · · · kn is a permutation of 1, · · ·n.Addition (

∑ni=1 qixi ≥ q) ∧ (

∑ni=1 q

′ixi ≥ q′)→∑n

i=1(qi + q′i)xi ≥ q + q′

Multiplication∑ni=1 qixi ≥ q ↔

∑ni=1 dqixi ≥ dq where d is positive rational.

Dichotomy (x ≥ q) ∨ (x ≤ q)Monotonicity (x ≥ q)→ (x > q′) where q > q′

RULEMP From ϕ→ ψ and ϕ, infer ψ

Table A.2: System SLIL

The following theorem is proved in Fagin et al. (1990).

Theorem A.2.5 SLIL is sound and complete with respect to the semantics of Defini-tion A.2.3.

Next, we introduce two properties of linear inequalities on the solvability and thedecidability of linear inequalities. Before that, we first introduce the following auxiliarynotion.

Definition A.2.6 (Legal linear combination Kuhn (1956)) Let S be a set of linear in-equalities, which can be written as

ai1x1 + · · ·+ ainxn >ai (i = 1, · · · , p)bj1x1 + · · ·+ bjnxn ≥bj (j = 1, · · · , q)

where aik, ai, bjk and bj (i = 1, · · · , p; j = 1, · · · , q; k = 1, · · · , n) are given rationalnumbers. A multiplier scheme of S is formed with non-negative multipliers at the leftand the sum below:

u0 ≥ 0 : 0x1 + · · ·+ 0xn > −1u1 ≥ 0 : a11x1 + · · ·+ a1nxn > a1

·····················································up ≥ 0 : ap1x1 + · · ·+ apnxn > apv1 ≥ 0 : b11x1 + · · ·+ b1nxn ≥ b1·····················································vq ≥ 0 : bq1x1 + · · ·+ bqnxn ≥ bq

d1x1 + · · ·+ dnxn > d.

A.2. PROBABILISTIC DYNAMIC EPISTEMIC LOGIC 131

The coefficients of the sum are calculated to be:

d1 = u1a11 + · · ·+ upap1 + v1b11 + · · · vqbq1····································································dn = u1a1n + · · ·+ upapn + v1b1n + · · · vqbqnd = −u0 + u1a1 + · · ·+ upap + v1b1 + · · · vqbq.

An inequality,d1x1 + · · ·+ dnxn > d,

that is formed in this manner from S is called a legal linear combination of the inequal-ities of S provided that some ui is positive (i = 0, 1, · · · , p).

The following theorem is proved in Kuhn (1956).

Theorem A.2.7 If a set of linear inequalities S is not solvable, then the inequality 0x1+· · ·+ 0xn > 0 is a legal linear combination of the inequalities of S.

The size of a rational number a/b, where a and b are integers and relatively prime,is defined to be the sum of the lengths of a and b, when written in binary. The followingtheorem is proved in Fagin et al. (1990).

Theorem A.2.8 If a system of r linear inequalities with integer coefficients each oflength at most l has a nonnegative solution, then it has a nonnegative solution withat most r entries positive, and where the size of each member of the solution is O(rl +r log(r)).

A.2.2 Probabilistic dynamic epistemic logicIn the following, we will introduce the language, the semantics, and the deductive systemof PDEL.

Let P be a countable set of proposition letters and Agt be a nonempty finite set ofagents.

Definition A.2.9 (Language) The language of PDEL is defined as below.

ϕ ::= > | p | ¬ϕ | (ϕ ∧ ϕ) | 2aϕ | [ϕ]ϕ | q1Praϕ1 + · · ·+ qnPraϕn ≥ q

where p ∈ P and a ∈ Agt.

Definition A.2.10 (Model) A model is a tuple 〈S,R, P, V 〉 where


• R : Agt→ 2S×S is a collection of transitions labelled by actions in Agt;

• V : S → 2P is a valuation function;

• P : (S ×Agt) → (S → [0, 1]) assigns a probability function to each agent oneach state such that for each a ∈ Agt and each s ∈ S:∑

t∈SP (s, a)(t) = 1.

.


For each s ∈ S, (M, s) is a pointed model.

Definition A.2.11 (Semantics) Given a pointed model (M, s) and a formula ϕ, ϕ be-ing true in (M, s) (written asM, s � ϕ) is defined by induction on ϕ:

M, s � > alwaysM, s � p ⇐⇒ p ∈ V (s).M, s � ¬ϕ ⇐⇒ M, s 2 ϕ.M, s � (ϕ ∧ ψ) ⇐⇒ M, s � ϕ andM, s � ψ.M, s � 2aϕ ⇐⇒ M, t � ϕ for each t with (s, t) ∈ R(a)M, s �

∑ni=1 qiPraϕi ≥ q ⇐⇒

∑ni=1 qiP (a, s)JϕiK ≥ q

where JϕK = {s ∈ S | M, s � ϕ} and P (a, s)JϕiK =∑t∈JϕK P (a, s)(t).

Definition A.2.12 (Deductive system SPDEL) The axioms and rules shown in Table A.3constitute the deductive system SPDEL.

AXIOMSAll instances of propositional tautologiesAll instances of linear inequality axioms

2a-distribution 2a(ϕ→ ψ)→ (2aϕ→ 2aψ)

Update axioms[ϕ]-distribution [ϕ](ψ → χ)→ ([ϕ]ψ → [ϕ]χ)Atomic Permanence [ϕ]p↔ (ϕ→ p)Functionality ¬[ϕ]ψ ↔ [ϕ]¬ψ2a-update [ϕ]2aψ ↔ 2a(ϕ→ [ϕ]ψ)Probability update1 Praϕ > 0→ ([ϕ]

∑ni=1 qiPraϕi ≥ q ↔∑n

i=1 qiPra(ϕ ∧ [ϕ]ϕi) ≥ qPraϕ)Probability update2 Praϕ = 0→ ([ϕ]

∑ni=1 qiPraϕi ≥ q ↔∑n

i=1 qiPra([ϕ]ϕi) ≥ q)

Probability axiomsNonnegativity Praϕ ≥ 0Probability of truth Pra> = 1Additivity Pra(ϕ ∧ ψ) + Pra(ϕ ∧ ¬ψ) = Praϕ

RULESMP From ϕ→ ψ and ϕ, infer ψ2a-GEN From ϕ, infer 2aϕ[ϕ]-GEN From ψ, infer [ϕ]ψEquivalence From ϕ↔ ψ, infer Praϕ = Praψ

Table A.3: System SPDEL

The following theorem is proved in Kooi (2003).

A.3. KNOWING-HOW LOGIC 133

Theorem A.2.13 SPDEL is sound and complete with respect to the semantics of Defin-ition A.2.11.

A.3 Knowing-how LogicWang (2015a) proposed a modal logic for reasoning about knowledge expressed byknowing how to achieve that p. In this thesis, we will call it knowing-how logic (KHL).This subsection will introduce the language, the semantics, and the deductive system ofKHL.

Let P be a countable set of proposition letters.

Definition A.3.1 (Language) The language of KHL is defined as below.

ϕ ::= > | p | ¬ϕ | (ϕ ∧ ϕ) | Kh(ϕ,ϕ)

where p ∈ P.

The language of KHL is interpreted on models defined below.

Definition A.3.2 (Model) A model is a quadrupleM = 〈S,Act,R, V 〉 where


• Act is a set of actions;




Please note that the action set is part of the model. We use Act∗ to denote all thefinite sequences of members of Act. We write s a−→ t if (s, t) ∈ R(a). For a sequenceσ = a1 . . . an ∈ Act∗, we write s σ−→ t if there exist s2 . . . sn such that s a1−→ s2

a2−→· · · an−1−−−→ sn

an−−→ t. Note that σ can be the empty sequence ε (when n = 0), and we setsε−→ s for any s. Let σk be the initial segment of σ up to ak for k ≤ |σ|. In particular let

σ0 = ε.Before defining the semantics of KHL, we first introduce the following auxiliary

notion.

Definition A.3.3 (Strongly executable) We say σ = a1 · · · an is strongly executable ats′ if for each 0 ≤ k < n: s′ σk−→ t implies that t has at least one ak+1-successor.

Definition A.3.4 (Semantics) Let (M, s) be a pointed model. A formula ϕ being trueinM, s, denoted asM, s � ϕ, is defined as below.

M, s � > alwaysM, s � p ⇐⇒ p ∈ V (s).M, s � ¬ϕ ⇐⇒ M, s 2 ϕ.M, s � (ϕ ∧ ψ) ⇐⇒ M, s � ϕ andM, s � ψ.M, s � Kh(ψ,ϕ) ⇐⇒ there exists a σ ∈ Act∗ such that for all s′ ∈ JψK :

σ is strongly executable at s′ andM, t � ϕ for all t with s′ σ−→ t


where JψK = {s′ ∈ S | M, s′ � ψ}.

By the semantics above, we can see that the modality Kh is a universal operator.Furthermore, it is easy to check that

M, s � Kh(¬ϕ,⊥) ⇐⇒ M, s′ � ϕ for each s′ ∈ S.

Therefore, the formula Kh(¬ϕ,⊥) is also written as Uϕ, which means that ϕ is true ineach state of the modelM.

Definition A.3.5 (Deductive system) The axioms and rules shown in Table A.4 consti-tute the deductive system SKH.

AXIOMSTAUT all tautologies of propositional logicDISTU Up ∧ U(p→ q)→ UqTU Up→ p4KU Kh(p, q)→ UKh(p, q)5KU ¬Kh(p, q)→ U¬Kh(p, q)EMPKh U(p→ q)→ Kh(p, q)COMPKh (Kh(p, r) ∧ Kh(r, q))→ Kh(p, q)

RULESMP From ϕ→ ψ and ϕ, infer ψGEN From ϕ, infer UϕSUB From ϕ, infer ϕ[ψ/p]

Table A.4: System SKH

The following theorem is proved in Wang (2015a).

Theorem A.3.6 SKH is sound and strongly complete with respect to the semantics ofDefinition A.3.4.

A.4 Arrow update logicArrow update logic proposed in Kooi and Renne (2011a) is a dynamic epistemic logicconcerned with reasoning about information change by eliminating epistemic accesses.This subsection will introduce the language, the semantics, and the deductive system ofarrow update logic.

Let P be a countable set of proposition letters and Agt be a nonempty finite set ofagents.

Definition A.4.1 (Language) The language of arrow update logic is defined as below.

ϕ ::=> | p | ¬ϕ | (ϕ ∧ ϕ) | 2aϕ | [U ]ϕ

U ::=(ϕ, a, ϕ) | (ϕ, a, ϕ), U

where p ∈ P and a ∈ Agt.

A.4. ARROW UPDATE LOGIC 135

Intuitively, the formula 2aϕ means that the agent a believes that ϕ holds, and theformula [U ]ϕ means that ϕ holds after the model is updated with U .

Definition A.4.2 (Model) A model is a tripleM = 〈S,R, V 〉 where


• R : Agt→ 2S×S is a collection of transitions labelled by actions in Agt;



Definition A.4.3 (Semantics) Given a modelM = 〈S,R, V 〉, let s be a state in S. Aformula ϕ being truth inM, s, denoted asM, s � ϕ, is defined as below.

M, s � > alwaysM, s � p ⇐⇒ p ∈ V (s).M, s � ¬ϕ ⇐⇒ M, s 2 ϕ.M, s � (ϕ ∧ ψ) ⇐⇒ M, s � ϕ andM, s � ψ.M, s � 2aϕ ⇐⇒ M, t � ϕ for each t with (s, t) ∈ R(a)M, s � [U ]ϕ ⇐⇒ M∗ U, s � ϕRM∗U = {(w, v) | ∃(ψ, a, χ) ∈ U :M, w � ψ andM, v � χ}

whereM∗ U = 〈S,RM∗U , V 〉.

M∗U is the resulting model after updatingM with U . Please note that the updatedmodelM∗U shares the same domain and the same valuation function with the originalmodel M. The transitions of M ∗ U is a subset of the transitions of M because theupdate U deletes some transitions ofM.

Definition A.4.4 (Deductive system AUL) The axioms and rules shown in Table A.5constitute the deductive system AUL.

The following theorem is proved in Kooi and Renne (2011a).

Theorem A.4.5 AUL is sound and complete with respect to the semantics of Defini-tion A.4.3.


AXIOMSTAUT all tautologies of propositional logicDISTU 2ap ∧2a(p→ q)→ 2aqU1 [U ]p↔ p for p ∈ P ∪ {⊥,>}U2 [U ]¬ϕ↔ ¬[U ]ϕU3 [U ](ϕ ∧ ψ)↔ [U ]ϕ ∧ [U ]ψU4 [U ]2aϕ↔

∧(ψ,a,χ)∈U (ψ → 2a(χ→ [U ]ϕ))

U5 [U1][U2]ϕ↔ [U1 ◦ U2]ϕwhere [U1 ◦ U2] = {(ψ ∧ [U1]ψ′, a, χ ∧ [U1]χ′) | ∃(ψ, a, χ) ∈ U1 and

∃(ψ′, a, χ′) ∈ U2}

RULESMP From ϕ→ ψ and ϕ, infer ψGENK From ϕ, infer 2aϕGENU From ϕ, infer [U ]ϕ

Table A.5: System AUL

Bibliography

Agotnes, T. (2006). Action and knowledge in alternating-time temporal logic. Synthese,149(2):375–407.

Agotnes, T., Goranko, V., Jamroga, W., and Wooldridge, M. (2015). Knowledge andability. In van Ditmarsch, H., Halpern, J., van der Hoek, W., and Kooi, B., editors,Handbook of Epistemic Logic, chapter 11, pages 543–589. College Publications.

Alur, R., Henzinger, T., and Kupferman, O. (2002). Alternating-time temporal logic.Journal of the ACM, 49:672–713.

Andersen, M. B., Bolander, T., and Jensen, M. H. (2012). Conditional epistemic plan-ning. In Logics in Artificial Intelligence, pages 94–106. Springer.

Andersen, M. B., Bolander, T., and Jensen, M. H. (2015). Don’t plan for the unexpected:Planning based on plausibility models. Logique et Analyse, 58.

Aucher, G. (2012). DEL-sequents for regression and epistemic planning. Journal ofApplied Non-Classical Logics, 22(4):337–367.

Aucher, G. and Bolander, T. (2013). Undecidability in epistemic planning. In Proceed-ings of IJCAI ’13, pages 27–33.

Aucher, G. and Schwarzentruber, F. (2013). On the complexity of dynamic epistemiclogic. In Schipper, B. C., editor, Proceedings of the 14th Conference on TheoreticalAspects of Rationality and Knowledge (TARK 2013), pages 19–28.

Backstrom, C. and Jonsson, P. (2011). All PSPACE-complete planning problems areequal but some are more equal than others. In SOCS 2011.

Balbiani, P., van Ditmarsch, H. P., Herzig, A., and Lima, T. D. (2010). Tableaux forpublic announcement logic. J. Log. Comput., 20(1):55–76.

Baltag, A. and Moss, L. S. (2004). Logics for epistemic programs. Synthese, 139:165–224.

Baltag, A., Moss, L. S., and Solecki, S. (1998). The logic of public announcements,common knowledge and private suspicions. In Gilboa, I., editor, Proceedings of the7th Conference on Theoretical Aspects of Rationality and Knowledge (TARK VII),pages 43–56.

137

138 BIBLIOGRAPHY

Belardinelli, F. (2014). Reasoning about knowledge and strategies: Epistemic strategylogic. In Proceedings of SR 2014, pages 27–33.

Blackburn, P., de Rijke, M., and Venema, Y. (2001). Modal Logic. Cambridge UniversityPress.

Bolander, T. and Andersen, M. B. (2011). Epistemic planning for single and multi-agentsystems. Journal of Applied Non-Classical Logics, 21(1):9–34.

Bolander, T., Jensen, M. H., and Schwarzentruber, F. (2015). Complexity results inepistemic planning. In IJCAI, pages 2791–2797.

Broersen, J. and Herzig, A. (2015). Using STIT theory to talk about strategies. In vanBenthem, J., Ghosh, S., and Verbrugge, R., editors, Models of Strategic Reasoning:Logics, Games, and Communities, pages 137–173. Springer.

Bryce, D., Kambhampati, S., and Smith, D. E. (2008). Sequential monte carlo in reach-ability heuristics for probabilistic planning. Artificial Intelligence, 172(6-7):685–715.

Fagin, R., Halpern, J., Moses, Y., and Vardi, M. (1995). Reasoning about Knowledge.MIT Press.

Fagin, R., Halpern, J. Y., and Megiddo, N. (1990). A logic for reasoning about probab-ilities. Inf. Comput., 87(1-2):78–128.

Fan, J., Wang, Y., and van Ditmarsch, H. (2014). Almost necessary. In Advances inModal Logic Vol.10, pages 178–196.

Fan, J., Wang, Y., and van Ditmarsch, H. (2015). Contingency and knowing whether.The Review of Symbolic Logic, 8:75–107.

Fantl, J. (2008). Knowing-how and knowing-that. Philosophy Compass, 3(3):451–470.

Fervari, R., Herzig, A., Li, Y., and Wang, Y. (2017). Strategically knowing how. InProceedings of IJCAI 2017, pages 1031–1038.

Fitting, M. (1983). Proof Methods for Modal and Intuitionistic Logics. Springer.

Geffner, H. and Bonet, B. (2013). A Concise Introduction to Models and Methods forAutomated Planning. Morgan & Claypool Publishers.

Gerbrandy, J. (1999). Bisimulations on Planet Kripke. PhD thesis, University of Ams-terdam.

Gerbrandy, J. and Groeneveld, W. (1997). Reasoning about information change. Journalof Logic, Language and Information, 6:147–169.

Ghallab, M., Nau, D., and Traverso, P. (2004). Automated Planning: theory and prac-tice. Morgan Kaufmann.

Giunchiglia, F. and Traverso, P. (2000). Planning as model checking. In Biundo, S.and Fox, M., editors, Recent Advances in AI Planning, pages 1–20. Springer BerlinHeidelberg.

BIBLIOGRAPHY 139

Gochet, P. (2013). An open problem in the logic of knowing how. In Hintikka, J., editor,Open Problems in Epistemology. The Philosophical Society of Finland.

Gu, T. and Wang, Y. (2016). “Knowing value” logic as a normal modal logic. InAdvances in Modal Logic Vol.11, pages 362–381.

Hart, S., Heifetz, A., and Samet, D. (1996). Knowing whether, knowing that, and thecardinality of state spaces. Journal of Economic Theory, 70(1):249–256.

Herzig, A. (2015). Logics of knowledge and action: critical analysis and challenges.Autonomous Agents and Multi-Agent Systems, 29(5):719–753.

Herzig, A., Lorini, E., and Walther, D. (2013). Reasoning about actions meets strategiclogics. In Proceedings of LORI 2013, pages 162–175.

Hintikka, J. (1962). Knowledge and Belief: An Introduction to the Logic of the TwoNotions. Cornell University Press, Ithaca N.Y.

Hyafil, N. and Bacchus, F. (2003). Conformant probabilistic planning via CSPs. InICAPS, pages 205–214.

Hyafil, N. and Bacchus, F. (2004). Utilizing structured representations and CSPs inconformant probabilistic planning. In Proceedings of the 16th European Conferenceon Artificial Intelligence, ECAI’04, pages 1033–1034.

Jamroga, W. and Agotnes, T. (2007). Constructive knowledge: what agents can achieveunder imperfect information. Journal of Applied Non-Classical Logics, 17(4):423–475.

Jamroga, W. and van der Hoek, W. (2004). Agents that know how to play. Fundamentainformaticae, 63(2-3):185–219.

Jensen, M. H. (2014). Epistemic and Doxastic Planning. PhD thesis, Technical Univer-sity of Denmark.

Kooi, B. (2003). Probabilistic dynamic epistemic logic. Journal of Logic, Language,and Information, 12(4):381–408.

Kooi, B. and Renne, B. (2011a). Arrow update logic. The Review of Symbolic Logic,4:536–559.

Kooi, B. and Renne, B. (2011b). Generalized arrow update logic. In Apt, K. R., ed-itor, Theoretical Aspects of Rationality and Knowledge, Proceedings of the ThirteenthConference (TARK 2011), pages 205–211.

Kuhn, H. W. (1956). Solvability and consistency for linear equations and inequalities.The American Mathematical Monthly, 63(4):217–232.

Kushmerick, N., Hanks, S., and Weld, D. S. (1995). An algorithm for probabilisticplanning. Artificial Intelligence, 76(1):239–286.

Lau, T. and Wang, Y. (2016). Knowing your ability. The Philosophical Forum, 47(3-4):415–423.

140 BIBLIOGRAPHY

Lesperance, Y., Levesque, H. J., Lin, F., and Scherl, R. B. (2000). Ability and knowinghow in the situation calculus. Studia Logica, 66(1):165–186.

Li, Y. (2015). Tableaux for single-agent epistemic PDL with perfect recall and no mir-acles. In Proceedings of LORI ’15, pages 230–242.

Li, Y. (2016). A Dynamic Epistemic Framework for Conformant Planning (in Chinese).PhD thesis, Peking University.

Li, Y. (2017). Stopping means achieving: A weaker logic of knowing how. Studies inLogic, 9(4):34–54.

Li, Y. and Wang, Y. (2017). Achieving while maintaining: - A logic of knowing howwith intermediate constraints. In Logic and Its Applications - 7th Indian Conference,ICLA 2017, Kanpur, India, January 5-7, 2017, Proceedings, pages 154–167.

Li, Y., Yu, Q., and Wang, Y. (2017). More for free: A dynamic epistemic framework forconformant planning over transition systems. Journal of Logic and Computation. toappear.

Lowe, B., Pacuit, E., and Witzel, A. (2011). DEL planning and some tractable cases. InLORI 2011, pages 179–192. Springer.

Massacci, F. (2000). Single step tableaux for modal logics. Journal of Automated Reas-oning, 24:319–364.

McCarthy, J. (1979). First order theories of individual concepts and propositions. Ma-chine Intelligence, 9.:129–147.

McCarthy, J. and Hayes, P. J. (1969). Some philosophical problems from the stand-point of artificial intelligence. In Machine Intelligence, pages 463–502. EdinburghUniversity Press.

Moore, R. C. (1985). A formal theory of knowledge and action. In Hobbs, J. R. andMoore, R. C., editors, Formal Theories of the Commonsense World. Ablex PublishingCorporation.

Muise, C., Belle, V., Felli, P., McIlraith, S., Miller, T., Pearce, A. R., and Sonenberg, L.(2015). Planning over multi-agent epistemic states: A classical planning approach. InThe 29th AAAI Conference on Artificial Intelligence, pages 3327–3334.

Pardo, P. and Sadrzadeh, M. (2013). Strong planning in the logics of communication andchange. In Declarative Agent Languages and Technologies X, pages 37–56. Springer.

Plaza, J. (1989). Logics of public communications. In Emrich, M. L., Pfeifer, M. S.,Hadzikadic, M., and Ras, Z. W., editors, Proceedings of the 4th International Sym-posium on Methodologies for Intelligent Systems, pages 201–216.

Plaza, J. (2007). Logics of public communications. Synthese, 158:165–179. Reprint ofPlaza (1989).

Quine, W. V. (1953). Reference and modality. In From a Logical Point of View. HarvardUniversity Press.

BIBLIOGRAPHY 141

Rabiner, L. R. (1990). A tutorial on hidden markov models and selected applicationsin speech recognition. In Waibel, A. and Lee, K.-F., editors, Readings in SpeechRecognition, pages 267–296. Morgan Kaufmann Publishers Inc., San Francisco, CA,USA.

Singh, M. P. (1994). Multiagent Systems: A Theoretical Framework for Intentions,Know-how, and Communications. Springer-Verlag New York, Inc., Secaucus, NJ,USA.

Smith, D. E. and Weld, D. S. (1998). Conformant graphplan. In AAAI 98, pages 889–896.

Stanley, J. and Williamson, T. (2001). Knowing how. The Journal of Philosophy, pages411–444.

Taig, R. and Brafman, R. I. (2013). Compiling conformant probabilistic planning prob-lems into classical planning. In ICAPS, pages 197–205.

van Benthem, J. (2003). Conditional probability meets update logic. Journal of Logic,Language and Information, 12(4):409–421.

van Benthem, J., Gerbrandy, J., and Kooi, B. (2009). Dynamic update with probabilities.Studia Logica, 93(1):67–96.

van Benthem, J., van Eijck, J., and Kooi, B. (2006). Logics of communication andchange. Information and Computation, 204:1620–1662.

van der Hoek, W. and Lomuscio, A. (2003). Ignore at your peril - towards a logic forignorance. In Proceedings of AAMAS 03, pages 1148–1149.

van der Hoek, W., van Linder, B., and Meyer, J. C. (2000). On agents that have theability to choose. Studia Logica, 66(1):79–119.

van der Hoek, W. and Wooldridge, M. (2002). Tractable multiagent planning for epi-stemic goals. In Proceedings of AAMAS’02, pages 1167–1174.

van der Hoek, W. and Wooldridge, M. (2003). Cooperation, knowledge, and time:Alternating-time temporal epistemic logic and its applications. Studia Logica, pages125–157.

van Ditmarsch, H., Halpern, J. Y., van der Hoek, W., and Kooi, B., editors (2015).Handbook of Epistemic Logic. College Publications.

van Ditmarsch, H., van der Hoek, W., and Kooi, B. (2007). Dynamic Epistemic Logic.Springer.

Wang, Y. (2011). Reasoning about protocol change and knowledge. In Banerjee, M. andSeth, A., editors, Logic and Its Applications - 4th Indian Conference (ICLA 2011),pages 189–203.

Wang, Y. (2015a). A logic of knowing how. In Proceedings of LORI 2015, pages 392–405.

142 BIBLIOGRAPHY

Wang, Y. (2015b). Representing imperfect information of procedures with hyper mod-els. In Proceedings of ICLA 2015, pages 218–231.

Wang, Y. (2016). A logic of goal-directed knowing how. Synthese, pages 1–21.

Wang, Y. (2017). Beyond knowing that: a new generation of epistemic logics. Invan Ditmarsch, H. and Sandu, G., editors, Jaakko Hintikka on Knowledge and GameTheoretical Semantics. Springer.

Wang, Y. and Cao, Q. (2013). On axiomatizations of public announcement logic. Syn-these, 190:103–134.

Wang, Y. and Li, Y. (2012). Not all those who wander are lost: Dynamic epistemicreasoning in navigation. In Proceedings of AiML 2012, pages 559–580.

Yu, Q., Li, Y., and Wang, Y. (2016). A dynamic epistemic framework for conformantplanning. In Proceedings of TARK’15, pages 298–318. EPTCS.

Yu, Q., Wen, X., and Liu, Y. (2013). Multi-agent epistemic explanatory diagnosis viareasoning about actions. In IJCAI 2013, pages 1183–1190.

Samenvatting1

In dit proefschrift wordt vanuit logisch perspectief het maken van plannen en proced-urele kennis (weten hoe) onderzocht. Binnen de kunstmatige intelligentie verstaat menonder de term conformant planning het proces van het maken van een plan om een be-paald doel te bereiken. Zo’n plan wordt door een persoon of andere handelende entiteit,een zogeheten agent, uitgevoerd. Een agent die doelgerichte procedurele kennis heeftweet hoe zij haar doel kan bereiken. In dit proefschrift wordt doelgerichte procedurelekennis opgevat als (i) het hebben van een plan en (ii) weten dat het uitvoeren van datplan het doel zal bereiken.

In Hoofdstuk 2 introduceer ik een logisch raamwerk waarin precies kan wordenbijgehouden hoe de overtuigingstoestand van een agent (inclusief probabilistische in-formatie) verandert tijdens het uitvoeren van een plan. Deze benadering verschilt vanbestaande benaderingen voor conformant probabilistic planning doordat het zich richtop een logische taal waarin plannen en doelen gespecificeerd worden.

In hoofdstuk 3 and 4 worden logica’s gepresenteerd voor procedurele kennis ge-baseerd op het idee dat weten hoe je een doel bereikt neerkomt op het hebben van eenconformant plan om dat doel te bereiken. In hoofdstuk 3 wordt een logisch systeemgepresenteerd waarbij niet alleen het doel van het plan centraal staat maar ook de wijzewaarop dat doel bereikt wordt, d.w.z. het plan zelf moet aan bepaalde voorwaarden vol-doen behalve dat het zijn doel bereikt. In hoofdstuk 4 wordt een logica voor procedurelekennis gepresenteerd waarbij de kennis om een doel te bereiken wordt opgevat als hethebben van een zwak conformant plan. De vereisten die een conformant plan stelt aanhet plan kunnen namelijk te sterk zijn, in die zin dat er bij het uitvoeren van een planniets hoort mis te gaan. Een zwak conformant plan is een plan dat altijd tot een bepaalddoel leid als het uitvoeren van het plan ophoudt, zelfs als de uitvoering van het plan nogniet voltooid is.

In hoofdstuk 5 wordt een logisch raamwerk voor procedurele kennis gepresenteerdwaarbij weten hoe je een doel bereikt opgevat wordt als het hebben van een contingentplan om een doel te bereiken. Anders dan een conformant plan, wat een lineaire reekshandelingen is, is een contingent plan een partiele functie van overtuigingstoestandennaar handelingen. Binnen dit logische raamwerk onderzoeken we ook de interactietussen propositionele kennis (weten dat) en procedurele kennis (weten hoe).

Arrow update logic (AUL) is een logisch raamwerk dat geschikt is om redenerin-gen over informatieverandering te formaliseren. In AUL wordt informatieveranderinggemodelleert door de epistemische toegankelijkheidsrelatie over mogelijke werelden te

1This is a summary of this thesis in Dutch, and everything here is also explained in the chapter of intro-duction.

143

144 SAMENVATTING

wijzigen. Deze manier van modeleren maakt het een geschikte manier om informatiev-erandering te modeleren in logica’s voor procedurele kennis omdat het domein van eenmodel (de verzameling mogelijke werelden) niet wijzigt in tegenstelling tot andere ben-aderingen. In AUL is het echter gemeenschappelijke kennis hoe elke agent nieuwe in-formatie zal verwerken. In hoofdstuk 6 wordt de theorie van AUL uitgebreid in die zindat de nieuwe informatie beperkt blijft tot een bepaalde groep agents.

About the author

Yanjun Li was born in Hebei, China, on the 18th of February in 1985. He graduated fromHebei University in 2010 and obtained a Bachelor’s degree in philosophy with a thesison Frege’s theory of meaning. After that, He joined the Center for Logic, Languageand Cognition at the Department of Philosophy, Peking University, first as a Masterstudent later as a PhD student, which concluded with a doctorate in 2016 with the thesis“A Dynamic Epistemic Logic for Conformant Planning”. In 2013, he moved to TheNetherlands and started working on this thesis to obtain a doctorate at the University ofGroningen.

145

University of Groningen Knowing what to do Li, Yanjun...ISBN: 978-94-034-0034-1 (eBook) Knowing What...

Documents

Transcript of University of Groningen Knowing what to do Li, Yanjun...ISBN: 978-94-034-0034-1 (eBook) Knowing What...